Bug 1594642 (CVE-2018-12648) - CVE-2018-12648 exempi: NULL pointer dereference in WEBP_Support.hpp:WEBP::GetLE32() allows for denial of service
Summary: CVE-2018-12648 exempi: NULL pointer dereference in WEBP_Support.hpp:WEBP::Get...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-12648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1594643 1594644
Blocks: 1594646
TreeView+ depends on / blocked
 
Reported: 2018-06-25 05:27 UTC by Sam Fowler
Modified: 2021-02-17 00:05 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Exempi is vulnerable to an issue that may manifest as a NULL pointer dereference or an out-of-bounds access due to not checking if vector is of required size before accessing its elements. An attacker could use this to cause a denial of service.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:05:41 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-06-25 05:27:30 UTC
Exempi through version 2.4.5 is vulnerable to a NULL pointer dereference in the WEBP_Support.hpp:WEBP::GetLE32() function. An attacker could exploit this to cause a denial of service via a crafted file.


Upstream Bug:

https://bugs.freedesktop.org/show_bug.cgi?id=106981

Comment 1 Sam Fowler 2018-06-25 05:27:56 UTC
Created exempi tracking bugs for this issue:

Affects: fedora-all [bug 1594643]

Comment 3 Adam Mariš 2018-07-12 14:58:40 UTC
Statement:

This issue did not affect the versions of exempi as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for WEBP format in the code of which the vulnerability exists.

Comment 4 Adam Mariš 2018-07-13 12:25:12 UTC
Vulnerable code:

WEBP_Support.cpp:

void VP8XChunk::xmp(bool hasXMP)
{
    XMP_Uns32 flags = GetLE32(&this->data[0]);
    flags ^= (-hasXMP ^ flags) & (1 << XMP_FLAG_BIT);
    PutLE32(&this->data[0], flags);
}

WEBP_Support.hpp (not accurately ordered):

static inline XMP_Uns32 GetLE16(const XMP_Uns8* const data)
{
    return (XMP_Uns32)(data[0] << 0) | (data[1] << 8);
}

static inline XMP_Uns32 GetLE32(const XMP_Uns8* const data)
{
    return (XMP_Uns32)GetLE16(data) | (GetLE16(data + 2) << 16);
}

static inline void PutLE16(XMP_Uns8* const data, XMP_Uns32 val)
{
    assert(val < (1 << 16));
    data[0] = (val >> 0);
    data[1] = (val >> 8);
}

static inline void PutLE32(XMP_Uns8* const data, XMP_Uns32 val)
{
    PutLE16(data, (XMP_Uns32)(val & 0xffff));
    PutLE16(data + 2, (XMP_Uns32)(val >> 16));
}

The code should check if this->data is a vector of required size before accessing it. In the reproducer attached to upstream bug, this->data is an empty vector, which causes NULL pointer dereference (though it may also cause an out of bounds access - error may be different based on what code is generated by the compiler).

Comment 5 Product Security DevOps Team 2019-07-12 13:05:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12648


Note You need to log in before you can comment on or make changes to this bug.