Bug 1566260 - There is a Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished [NEEDINFO]
There is a Segmentation fault in the software exiv2 when the function Exiv2::...
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2 (Show other bugs)
7.5-Alt
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-11 18:00 EDT by c1208828
Modified: 2018-05-22 01:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sfowler: needinfo? (daniel810736)


Attachments (Terms of Use)
Triggered by ./exiv2 -pR POC (266 bytes, image/png)
2018-04-11 18:00 EDT, c1208828
no flags Details

  None (edit)
Description c1208828 2018-04-11 18:00:38 EDT
Created attachment 1420521 [details]
Triggered by ./exiv2 -pR POC

Description of problem:


Version-Release number of selected component (if applicable):

0.26

How reproducible:

./exiv2 -pR POC

Steps to Reproduce:

The output information is as follows:
$ ./exiv2 -pR POC
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args -pR POC
(gdb) r
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c

Program received signal SIGSEGV, Segmentation fault.
0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164

164	                if ( value[p[i]] )
(gdb) bt
#0  0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164
#1  Exiv2::PngImage::printStructure (this=0xec0aa0, out=..., option=Exiv2::kpsRecursive, depth=0)
    at pngimage.cpp:306
#2  0x000000000046bdc5 in Action::Print::printStructure (this=this@entry=0xec1bd0, out=..., 
    option=option@entry=Exiv2::kpsRecursive) at actions.cpp:283
#3  0x0000000000486d52 in Action::Print::run (this=0xec1bd0, path="POC") at actions.cpp:247
#4  0x000000000040772d in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:166

(gdb) list
159	        // header is \nsomething\n number\n hex
160	        while ( count < 3 )
161	            if ( *p++ == '\n' )
162	                count++;
163	        for ( long i = 0 ; i < length ; i++ ){
164	                if ( value[p[i]] )
165	                    ++count;
166	        }
167	        result.alloc((count+1)/2) ;
168	

(gdb) info all-registers 
rax            0x69	105
rbx            0xec13f0	15471600
rcx            0x1d3c7	119751
rdx            0x0	0
rsi            0x0	0
rdi            0x69	105
rbp            0xec1c36	0xec1c36
rsp            0x7fffffffe070	0x7fffffffe070
r8             0x69	105
r9             0x0	0
r10            0xffffffffffffffff	-1
r11            0x0	0
r12            0x7fffffffe230	140737488347696
r13            0xec0aa0	15469216
r14            0xffffffff	4294967295
r15            0xec0c60	15469664
rip            0x8031f9	0x8031f9 <Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)+16057>
eflags         0x10297	[ CF PF AF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
mxcsr          0x1f80	[ IM DM ZM OM UM PM ]


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.
Comment 2 Sam Fowler 2018-05-22 01:42:09 EDT
Please report this upstream if you have not already:

http://dev.exiv2.org/projects/exiv2/issues

Note You need to log in before you can comment on or make changes to this bug.