Bug 1475124 - There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
Summary: There is an assertion aborted in tiffvisitor.cpp of exiv2/libexiv2.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks: CVE-2017-11683
TreeView+ depends on / blocked
 
Reported: 2017-07-26 06:33 UTC by owl337
Modified: 2019-08-06 12:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:46:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Triggered by "./exiv2 $POC" (362 bytes, application/x-rar)
2017-08-07 11:15 UTC, owl337 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:08 UTC

Description owl337 2017-07-26 06:33:39 UTC 
Description of problem:

There is an assertion aborted in  tiffvisitor.cpp of  exiv2/libexiv2.

Version-Release number of selected component (if applicable):

the latest trunk version

How reproducible:

./exiv2 POC

Steps to Reproduce:

The output information is as follows:

$./exiv2 POC

invalid type value detected in Image::printIFDStructure:  0
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.
Aborted


GDB debugging information is as follows:
(gdb) set args POC
(gdb) b tiffvisitor.cpp:1299 
Breakpoint 1 at 0x7ffff75c08bd: file tiffvisitor.cpp, line 1299.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/exiv2-trunk/install/bin/exiv2 ../output/crashes/id:000034,sig:06,src:004666,op:int32,pos:198,val:be:+100
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
invalid type value detected in Image::printIFDStructure:  0

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68c1b0) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) c 42 
Will ignore next 41 crossings of breakpoint 1.  Continuing.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0002 is out of bounds: Offset = 0x00000002, size = 65540, exceeds buffer size by 64830 Bytes; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 497; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02297fba; truncating the entry
Warning: Directory Image, entry 0x4900 has unknown Exif (TIFF) type 18697; setting type size 1.
Error: Directory Image, entry 0x4900 has invalid size 524428033*1; skipping entry.
Warning: Directory Image, entry 0x8000 has unknown Exif (TIFF) type 65535; setting type size 1.
Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0xff7f0222; truncating the entry
Warning: Directory Image, entry 0x02ef has unknown Exif (TIFF) type 0; setting type size 1.
Error: Directory Image, entry 0x02ef has invalid size 1325435904*1; skipping entry.
Error: Offset of directory Image, entry 0x0149 is out of bounds: Offset = 0x03020200; truncating the entry
Warning: Directory Image, entry 0x8800 has unknown Exif (TIFF) type 65279; setting type size 1.
Warning: Directory Image, entry 0xff02 has unknown Exif (TIFF) type 4866; setting type size 1.
Error: Offset of directory Image, entry 0xff02 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4278125056*1; skipping entry.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x490a4901; truncating the entry
Warning: Directory Image, entry 0x0201 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0201 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0002 has unknown Exif (TIFF) type 65416; setting type size 1.
Error: Directory Image, entry 0x0002 has invalid size 284819469*1; skipping entry.
Warning: Directory Image, entry 0x0207 has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0x0207 is out of bounds: Offset = 0x007f5d00; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 18689; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x00010000; truncating the entry
Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x02020000; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 511; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x01010101; truncating the entry
Warning: Directory Image, entry 0x0101 has unknown Exif (TIFF) type 257; setting type size 1.
Error: Offset of directory Image, entry 0x0101 is out of bounds: Offset = 0x00007f00; truncating the entry
Warning: Directory Image, entry 0x0100 has unknown Exif (TIFF) type 2377; setting type size 1.
Error: Upper boundary of data for directory Image, entry 0x0100 is out of bounds: Offset = 0x00000100, size = 131401, exceeds buffer size by 130945 Bytes; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 514; setting type size 1.
Error: Directory Image, entry 0x0200 has invalid size 4143941632*1; skipping entry.
Warning: Directory Image, entry 0x0227 has unknown Exif (TIFF) type 1794; setting type size 1.
Error: Offset of directory Image, entry 0x0227 is out of bounds: Offset = 0x7f022202; truncating the entry
Warning: Directory Image, entry 0xefff has unknown Exif (TIFF) type 767; setting type size 1.
Error: Offset of directory Image, entry 0xefff is out of bounds: Offset = 0x02020202; truncating the entry
Warning: Directory Image, entry 0x1002 has unknown Exif (TIFF) type 6914; setting type size 1.
Error: Offset of directory Image, entry 0x1002 is out of bounds: Offset = 0x7f020202; truncating the entry
Warning: Directory Image, entry 0x4947 has unknown Exif (TIFF) type 14406; setting type size 1.
Error: Directory Image, entry 0x4947 has invalid size 587292985*1; skipping entry.
Warning: Directory Image, entry 0x0202 has unknown Exif (TIFF) type 32768; setting type size 1.
Error: Directory Image, entry 0x0202 has invalid size 2147680255*1; skipping entry.
Warning: Directory Image, entry 0x0201: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0xfeff has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0xfeff is out of bounds: Offset = 0x0000fef5; truncating the entry
Warning: Directory Image, entry 0x0200 has unknown Exif (TIFF) type 18688; setting type size 1.
Error: Offset of directory Image, entry 0x0200 is out of bounds: Offset = 0x0201ff02; truncating the entry
Error: Directory Image, entry 0x0002 has invalid size 4278125129*1; skipping entry.
Error: Directory Image, entry 0x8825 Sub-IFD pointer 3 is out of bounds; ignoring it.
Error: Directory GPSInfo with 257 entries considered invalid; not read.
Error: Directory Iop with 18761 entries considered invalid; not read.

Breakpoint 1, Exiv2::Internal::TiffReader::visitDirectory (this=0x7fffffffd490, object=0x68b020) at tiffvisitor.cpp:1299
1299	            assert(tc.get());
(gdb) n
exiv2: tiffvisitor.cpp:1299: virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *): Assertion `tc.get()' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) 
(gdb) bt
#0  0x00007ffff66901c7 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6691e2a in __GI_abort () at abort.c:89
#2  0x00007ffff66890bd in __assert_fail_base (fmt=0x7ffff67eaf78 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", 
    assertion=assertion@entry=0x7ffff770d9d2 "tc.get()", file=file@entry=0x7ffff770ccc2 "tiffvisitor.cpp", 
    line=line@entry=1299, 
    function=function@entry=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:92
#3  0x00007ffff6689172 in __GI___assert_fail (assertion=0x7ffff770d9d2 "tc.get()", 
    file=0x7ffff770ccc2 "tiffvisitor.cpp", line=1299, 
    function=0x7ffff770d8d7 "virtual void Exiv2::Internal::TiffReader::visitDirectory(Exiv2::Internal::TiffDirectory *)") at assert.c:101
#4  0x00007ffff75c17ba in Exiv2::Internal::TiffReader::visitDirectory (this=<optimized out>, object=<optimized out>)
    at tiffvisitor.cpp:1299
#5  0x00007ffff758842a in Exiv2::Internal::TiffDirectory::doAccept (this=0x68b020, visitor=...) at tiffcomposite.cpp:916
#6  0x00007ffff758883d in Exiv2::Internal::TiffComponent::accept (this=0x68b020, visitor=...) at tiffcomposite.cpp:891
#7  Exiv2::Internal::TiffSubIfd::doAccept (this=0x68b290, visitor=...) at tiffcomposite.cpp:931
#8  0x00007ffff758850c in Exiv2::Internal::TiffComponent::accept (this=0x68b290, visitor=...) at tiffcomposite.cpp:891
#9  Exiv2::Internal::TiffDirectory::doAccept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:919
#10 0x00007ffff7588268 in Exiv2::Internal::TiffComponent::accept (this=0x68c1b0, visitor=...) at tiffcomposite.cpp:891
#11 0x00007ffff759f7d4 in Exiv2::Internal::TiffParserWorker::parse (pData=<optimized out>, size=<optimized out>, 
    root=<optimized out>, pHeader=<optimized out>) at tiffimage.cpp:2011
#12 0x00007ffff759bf9f in Exiv2::Internal::TiffParserWorker::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712, root=131072, findDecoderFct=0x2c8, pHeader=<optimized out>)
    at tiffimage.cpp:1900
---Type <return> to continue, or q <return> to quit---
#13 0x00007ffff75995fa in Exiv2::TiffParser::decode (exifData=..., iptcData=..., xmpData=..., 
    pData=0x7ffff7ff4000 "II*", size=712) at tiffimage.cpp:260
#14 Exiv2::TiffImage::readMetadata (this=0x68c000) at tiffimage.cpp:192
#15 0x0000000000426ecb in Action::Print::printSummary (this=0x68bd10) at actions.cpp:289
#16 0x0000000000426a4c in Action::Print::run (this=0x68bd10, path=...) at actions.cpp:244
#17 0x00000000004078c0 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170

This vulnerability was triggered after the TiffReader::visitDirectory(TiffDirectory* object) at  tiffvisitor.cpp:1299

1260     void TiffReader::visitDirectory(TiffDirectory* object)
 ...
1286         for (uint16_t i = 0; i < n; ++i) {
1287             if (p + 12 > pLast_) {
1288 #ifndef SUPPRESS_WARNINGS
1289                 EXV_ERROR << "Directory " << groupName(object->group())
1290                           << ": IFD entry " << i
1291                           << " lies outside of the data buffer.\n";
1292 #endif
1293                 return;
1294             }
1295             uint16_t tag = getUShort(p, byteOrder());
1296             TiffComponent::AutoPtr tc = TiffCreator::create(tag, object->group());
1297             // The assertion typically fails if a component is not configured in
1298             // the TIFF structure table
1299             assert(tc.get());
1300             tc->setStart(p);
1301             object->addChild(tc);
1302             p += 12;
1303         }
 ...


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 4 Henri Salo 2017-07-30 05:44:52 UTC 
Could you attach sample file for this issue, thank you? Did you check if latest codebase from upstream is affected and report this to them as well?
Comment 5 owl337 2017-08-07 11:15:46 UTC 
Created attachment 1310025 [details]
Triggered by  "./exiv2 $POC"
Comment 6 Henri Salo 2017-08-08 14:32:34 UTC 
Reported to upstream in here: http://dev.exiv2.org/issues/1307

You should report these to upstream by default and here as well if Red Hat packages are affected.
Comment 7 Raphaël Hertzog 2017-08-31 14:57:59 UTC 
Oops, I reported a duplicate on Github: https://github.com/Exiv2/exiv2/issues/57
Comment 9 Jan Grulich 2019-01-28 16:08:17 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 13 errata-xmlrpc 2019-08-06 12:46:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101
Note You need to log in before you can comment on or make changes to this bug.