Bug 1475124 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Reopened
Depends On:
Blocks: CVE-2017-11683
  Show dependency treegraph
 
Reported: 2017-07-26 02:33 EDT by owl337
Modified: 2017-08-08 10:32 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-26 06:34:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (362 bytes, application/x-rar)
2017-08-07 07:15 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-26 02:33:39 EDT
Description of problem:

There is an assertion aborted in  tiffvisitor.cpp of  exiv2/libexiv2.

Version-Release number of selected component (if applicable):

the latest trunk version

How reproducible:

./exiv2 POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC

invalid type value detected in Image::printIFDStructure:  0
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.
Aborted


GDB debugging information is as follows:
(gdb) set args POC
(gdb) b tiffvisitor.cpp:1299 
Breakpoint 1 at 0x7ffff75c08bd: file tiffvisitor.cpp, line 1299.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/exiv2-trunk/install/bin/exiv2 ../output/crashes/id:000034,sig:06,src:004666,op:int32,pos:198,val:be:+100
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid type value detected in Image::printIFDStructure:  0

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68c1b0) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) c 42 
Will ignore next 41 crossings of breakpoint 1.  Continuing.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68b020) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) n
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 
(gdb) bt
#0  0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6691e2a in __GI_abort () at abort.c:89
#2  0x00007ffff66890bd in __assert_fail_base (fmt=0x7ffff67eaf78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff770d9d2 "tc.get()", file=file@entry=0x7ffff770ccc2 "tiffvisitor.cpp", 
    line=line@entry=1299, 
    function=function@entry=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:92
#3  0x00007ffff6689172 in __GI___assert_fail (assertion=0x7ffff770d9d2 "tc.get()", 
    file=0x7ffff770ccc2 "tiffvisitor.cpp", line=1299, 
    function=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:101
#4  0x00007ffff75c17ba in Exiv2::Internal::TiffReader::visitDirectory (this=<optimized out>, object=<optimized out>)
    at tiffvisitor.cpp:1299
#5  0x00007ffff758842a in Exiv2::Internal::TiffDirectory::doAccept (this=0x68b020, visitor=...) at tiffcomposite.cpp:916
#6  0x00007ffff758883d in Exiv2::Internal::TiffComponent::accept (this=0x68b020, visitor=...) at tiffcomposite.cpp:891
#7  Exiv2::Internal::TiffSubIfd::doAccept (this=0x68b290, visitor=...) at tiffcomposite.cpp:931
#8  0x00007ffff758850c in Exiv2::Internal::TiffComponent::accept (this=0x68b290, visitor=...) at tiffcomposite.cpp:891
#9  Exiv2::Internal::TiffDirectory::doAccept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:919
#10 0x00007ffff7588268 in Exiv2::Internal::TiffComponent::accept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:891
#11 0x00007ffff759f7d4 in Exiv2::Internal::TiffParserWorker::parse (pData=<optimized out>, size=<optimized out>, 
    root=<optimized out>, pHeader=<optimized out>) at tiffimage.cpp:2011
#12 0x00007ffff759bf9f in Exiv2::Internal::TiffParserWorker::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712, root=131072, findDecoderFct=0x2c8, pHeader=<optimized out>)
    at tiffimage.cpp:1900
---Type <return> to continue, or q <return> to quit---
#13 0x00007ffff75995fa in Exiv2::TiffParser::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712) at tiffimage.cpp:260
#14 Exiv2::TiffImage::readMetadata (this=0x68c000) at tiffimage.cpp:192
#15 0x0000000000426ecb in Action::Print::printSummary (this=0x68bd10) at actions.cpp:289
#16 0x0000000000426a4c in Action::Print::run (this=0x68bd10, path=...) at actions.cpp:244
#17 0x00000000004078c0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered after the TiffReader::visitDirectory(TiffDirectory* object) at  tiffvisitor.cpp:1299

1260     void TiffReader::visitDirectory(TiffDirectory* object)
 ...
1286         for (uint16_t i = 0; i < n; ++i) {
1287             if (p + 12 > pLast_) {
1288 #ifndef SUPPRESS_WARNINGS
1289                 EXV_ERROR << "Directory " << groupName(object->group())
1290                           << ": IFD entry " << i
1291                           << " lies outside of the data buffer.\n";
1292 #endif
1293                 return;
1294             }
1295             uint16_t tag = getUShort(p, byteOrder());
1296             TiffComponent::AutoPtr tc = TiffCreator::create(tag, object->group());
1297             // The assertion typically fails if a component is not configured in
1298             // the TIFF structure table
1299             assert(tc.get());
1300             tc->setStart(p);
1301             object->addChild(tc);
1302             p += 12;
1303         }
 ...


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 01:44:52 EDT
Could you attach sample file for this issue, thank you? Did you check if latest codebase from upstream is affected and report this to them as well?
Comment 5 owl337 2017-08-07 07:15 EDT
Created attachment 1310025 [details]
Triggered by  "./exiv2 $POC"
Comment 6 Henri Salo 2017-08-08 10:32:34 EDT
Reported to upstream in here: http://dev.exiv2.org/issues/1307

You should report these to upstream by default and here as well if Red Hat packages are affected.

Note You need to log in before you can comment on or make changes to this bug.