Bug 1594642 (CVE-2018-12648) - CVE-2018-12648 exempi: NULL pointer dereference in WEBP_Support.hpp:WEBP::GetLE32() allows for denial of service
Summary: CVE-2018-12648 exempi: NULL pointer dereference in WEBP_Support.hpp:WEBP::Get...
Alias: CVE-2018-12648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1594643 1594644
Blocks: 1594646
TreeView+ depends on / blocked
Reported: 2018-06-25 05:27 UTC by Sam Fowler
Modified: 2021-02-17 00:05 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Exempi is vulnerable to an issue that may manifest as a NULL pointer dereference or an out-of-bounds access due to not checking if vector is of required size before accessing its elements. An attacker could use this to cause a denial of service.
Clone Of:
Last Closed: 2019-07-12 13:05:41 UTC

Attachments (Terms of Use)

Description Sam Fowler 2018-06-25 05:27:30 UTC
Exempi through version 2.4.5 is vulnerable to a NULL pointer dereference in the WEBP_Support.hpp:WEBP::GetLE32() function. An attacker could exploit this to cause a denial of service via a crafted file.

Upstream Bug:


Comment 1 Sam Fowler 2018-06-25 05:27:56 UTC
Created exempi tracking bugs for this issue:

Affects: fedora-all [bug 1594643]

Comment 3 Adam Mariš 2018-07-12 14:58:40 UTC

This issue did not affect the versions of exempi as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for WEBP format in the code of which the vulnerability exists.

Comment 4 Adam Mariš 2018-07-13 12:25:12 UTC
Vulnerable code:


void VP8XChunk::xmp(bool hasXMP)
    XMP_Uns32 flags = GetLE32(&this->data[0]);
    flags ^= (-hasXMP ^ flags) & (1 << XMP_FLAG_BIT);
    PutLE32(&this->data[0], flags);

WEBP_Support.hpp (not accurately ordered):

static inline XMP_Uns32 GetLE16(const XMP_Uns8* const data)
    return (XMP_Uns32)(data[0] << 0) | (data[1] << 8);

static inline XMP_Uns32 GetLE32(const XMP_Uns8* const data)
    return (XMP_Uns32)GetLE16(data) | (GetLE16(data + 2) << 16);

static inline void PutLE16(XMP_Uns8* const data, XMP_Uns32 val)
    assert(val < (1 << 16));
    data[0] = (val >> 0);
    data[1] = (val >> 8);

static inline void PutLE32(XMP_Uns8* const data, XMP_Uns32 val)
    PutLE16(data, (XMP_Uns32)(val & 0xffff));
    PutLE16(data + 2, (XMP_Uns32)(val >> 16));

The code should check if this->data is a vector of required size before accessing it. In the reproducer attached to upstream bug, this->data is an empty vector, which causes NULL pointer dereference (though it may also cause an out of bounds access - error may be different based on what code is generated by the compiler).

Comment 5 Product Security DevOps Team 2019-07-12 13:05:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.