RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1566260 - There is a Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished
Summary: There is a Segmentation fault in the software exiv2 when the function Exiv2::...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: exiv2
Version: 7.5-Alt
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Grulich
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-11 22:00 UTC by c1208828
Modified: 2019-08-06 12:47 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:47:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Triggered by ./exiv2 -pR POC (266 bytes, image/png)
2018-04-11 22:00 UTC, c1208828 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2101 0 None None None 2019-08-06 12:47:24 UTC

Description c1208828 2018-04-11 22:00:38 UTC 
Created attachment 1420521 [details]
Triggered by ./exiv2 -pR POC

Description of problem:


Version-Release number of selected component (if applicable):

0.26

How reproducible:

./exiv2 -pR POC

Steps to Reproduce:

The output information is as follows:
$ ./exiv2 -pR POC
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args -pR POC
(gdb) r
STRUCTURE OF PNG FILE: POC
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ... ... ....                   | 0x44a48ac6
      33 | QEXt  |      25 | Software.Adobe ImageReady      | 0x71c9653c
      70 | PL    |      15 | ..... ... ....                 | 0x44a48ac6
      97 | tEXt  |      25 | Software.Adobe IpHYsReady      | 0x71c9653c

Program received signal SIGSEGV, Segmentation fault.
0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164

164	                if ( value[p[i]] )
(gdb) bt
#0  0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a "    ")
    at pngimage.cpp:164
#1  Exiv2::PngImage::printStructure (this=0xec0aa0, out=..., option=Exiv2::kpsRecursive, depth=0)
    at pngimage.cpp:306
#2  0x000000000046bdc5 in Action::Print::printStructure (this=this@entry=0xec1bd0, out=..., 
    option=option@entry=Exiv2::kpsRecursive) at actions.cpp:283
#3  0x0000000000486d52 in Action::Print::run (this=0xec1bd0, path="POC") at actions.cpp:247
#4  0x000000000040772d in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:166

(gdb) list
159	        // header is \nsomething\n number\n hex
160	        while ( count < 3 )
161	            if ( *p++ == '\n' )
162	                count++;
163	        for ( long i = 0 ; i < length ; i++ ){
164	                if ( value[p[i]] )
165	                    ++count;
166	        }
167	        result.alloc((count+1)/2) ;
168	

(gdb) info all-registers 
rax            0x69	105
rbx            0xec13f0	15471600
rcx            0x1d3c7	119751
rdx            0x0	0
rsi            0x0	0
rdi            0x69	105
rbp            0xec1c36	0xec1c36
rsp            0x7fffffffe070	0x7fffffffe070
r8             0x69	105
r9             0x0	0
r10            0xffffffffffffffff	-1
r11            0x0	0
r12            0x7fffffffe230	140737488347696
r13            0xec0aa0	15469216
r14            0xffffffff	4294967295
r15            0xec0c60	15469664
rip            0x8031f9	0x8031f9 <Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)+16057>
eflags         0x10297	[ CF PF AF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
st0            0	(raw 0x00000000000000000000)
st1            0	(raw 0x00000000000000000000)
st2            0	(raw 0x00000000000000000000)
st3            0	(raw 0x00000000000000000000)
st4            0	(raw 0x00000000000000000000)
st5            0	(raw 0x00000000000000000000)
st6            0	(raw 0x00000000000000000000)
st7            0	(raw 0x00000000000000000000)
fctrl          0x37f	895
fstat          0x0	0
ftag           0xffff	65535
fiseg          0x0	0
fioff          0x0	0
foseg          0x0	0
fooff          0x0	0
fop            0x0	0
mxcsr          0x1f80	[ IM DM ZM OM UM PM ]


Actual results:

crash

Expected results:

crash

Additional info:

The crash can be reproduced by the attached file.
Comment 2 Sam Fowler 2018-05-22 05:42:09 UTC 
Please report this upstream if you have not already:

http://dev.exiv2.org/projects/exiv2/issues
Comment 3 c1208828 2018-06-11 17:04:53 UTC 
This issue is closed.
Comment 6 Jan Grulich 2019-01-28 16:08:14 UTC 
Fixed with exiv2-0.27.0-1.el7_6.
Comment 10 errata-xmlrpc 2019-08-06 12:47:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2101
Note You need to log in before you can comment on or make changes to this bug.