This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1475124 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: Reopened
Depends On:
Blocks: CVE-2017-11683
  Show dependency treegraph
 
Reported: 2017-07-26 02:33 EDT by owl337
Modified: 2017-08-31 10:57 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-26 06:34:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (362 bytes, application/x-rar)
2017-08-07 07:15 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-26 02:33:39 EDT
Description of problem:

There is an assertion aborted in  tiffvisitor.cpp of  exiv2/libexiv2.

Version-Release number of selected component (if applicable):

the latest trunk version

How reproducible:

./exiv2 POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC

invalid type value detected in Image::printIFDStructure:  0
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.
Aborted


GDB debugging information is as follows:
(gdb) set args POC
(gdb) b tiffvisitor.cpp:1299 
Breakpoint 1 at 0x7ffff75c08bd: file tiffvisitor.cpp, line 1299.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/exiv2-trunk/install/bin/exiv2 ../output/crashes/id:000034,sig:06,src:004666,op:int32,pos:198,val:be:+100
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid type value detected in Image::printIFDStructure:  0

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68c1b0) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) c 42 
Will ignore next 41 crossings of breakpoint 1.  Continuing.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68b020) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) n
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 
(gdb) bt
#0  0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6691e2a in __GI_abort () at abort.c:89
#2  0x00007ffff66890bd in __assert_fail_base (fmt=0x7ffff67eaf78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff770d9d2 "tc.get()", file=file@entry=0x7ffff770ccc2 "tiffvisitor.cpp", 
    line=line@entry=1299, 
    function=function@entry=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:92
#3  0x00007ffff6689172 in __GI___assert_fail (assertion=0x7ffff770d9d2 "tc.get()", 
    file=0x7ffff770ccc2 "tiffvisitor.cpp", line=1299, 
    function=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:101
#4  0x00007ffff75c17ba in Exiv2::Internal::TiffReader::visitDirectory (this=<optimized out>, object=<optimized out>)
    at tiffvisitor.cpp:1299
#5  0x00007ffff758842a in Exiv2::Internal::TiffDirectory::doAccept (this=0x68b020, visitor=...) at tiffcomposite.cpp:916
#6  0x00007ffff758883d in Exiv2::Internal::TiffComponent::accept (this=0x68b020, visitor=...) at tiffcomposite.cpp:891
#7  Exiv2::Internal::TiffSubIfd::doAccept (this=0x68b290, visitor=...) at tiffcomposite.cpp:931
#8  0x00007ffff758850c in Exiv2::Internal::TiffComponent::accept (this=0x68b290, visitor=...) at tiffcomposite.cpp:891
#9  Exiv2::Internal::TiffDirectory::doAccept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:919
#10 0x00007ffff7588268 in Exiv2::Internal::TiffComponent::accept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:891
#11 0x00007ffff759f7d4 in Exiv2::Internal::TiffParserWorker::parse (pData=<optimized out>, size=<optimized out>, 
    root=<optimized out>, pHeader=<optimized out>) at tiffimage.cpp:2011
#12 0x00007ffff759bf9f in Exiv2::Internal::TiffParserWorker::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712, root=131072, findDecoderFct=0x2c8, pHeader=<optimized out>)
    at tiffimage.cpp:1900
---Type <return> to continue, or q <return> to quit---
#13 0x00007ffff75995fa in Exiv2::TiffParser::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712) at tiffimage.cpp:260
#14 Exiv2::TiffImage::readMetadata (this=0x68c000) at tiffimage.cpp:192
#15 0x0000000000426ecb in Action::Print::printSummary (this=0x68bd10) at actions.cpp:289
#16 0x0000000000426a4c in Action::Print::run (this=0x68bd10, path=...) at actions.cpp:244
#17 0x00000000004078c0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered after the TiffReader::visitDirectory(TiffDirectory* object) at  tiffvisitor.cpp:1299

1260     void TiffReader::visitDirectory(TiffDirectory* object)
 ...
1286         for (uint16_t i = 0; i < n; ++i) {
1287             if (p + 12 > pLast_) {
1288 #ifndef SUPPRESS_WARNINGS
1289                 EXV_ERROR << "Directory " << groupName(object->group())
1290                           << ": IFD entry " << i
1291                           << " lies outside of the data buffer.\n";
1292 #endif
1293                 return;
1294             }
1295             uint16_t tag = getUShort(p, byteOrder());
1296             TiffComponent::AutoPtr tc = TiffCreator::create(tag, object->group());
1297             // The assertion typically fails if a component is not configured in
1298             // the TIFF structure table
1299             assert(tc.get());
1300             tc->setStart(p);
1301             object->addChild(tc);
1302             p += 12;
1303         }
 ...


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 01:44:52 EDT
Could you attach sample file for this issue, thank you? Did you check if latest codebase from upstream is affected and report this to them as well?
Comment 5 owl337 2017-08-07 07:15 EDT
Created attachment 1310025 [details]
Triggered by  "./exiv2 $POC"
Comment 6 Henri Salo 2017-08-08 10:32:34 EDT
Reported to upstream in here: http://dev.exiv2.org/issues/1307

You should report these to upstream by default and here as well if Red Hat packages are affected.
Comment 7 Raphaël Hertzog 2017-08-31 10:57:59 EDT
Oops, I reported a duplicate on Github: https://github.com/Exiv2/exiv2/issues/57

Note You need to log in before you can comment on or make changes to this bug.