heap-buffer-overflow in Exiv2::IptcData::printStructure

[gy741]

Hello.

I found a heap-buffer-overflow bug in exiv2.

Please confirm.

Thanks.

OS: Ubuntu 16.04 64bit
Steps to reproduce:
1.Download the .POC files.
2.Compile the source code with ASan.
PoC download : PoC

=================================================================
==31776==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e951 at pc 0x7f5a274c7667 bp 0x7ffd77997f30 sp 0x7ffd77997f28
READ of size 1 at 0x60200000e951 thread T0
    #0 0x7f5a274c7666 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) /root/karas/exiv2/src/iptc.cpp:359:26
    #1 0x7f5a274a1516 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/karas/exiv2/src/image.cpp:467:25
    #2 0x7f5a274a7090 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/karas/exiv2/src/image.cpp:530:13
    #3 0x7f5a2769428f in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /root/karas/exiv2/src/tiffimage.cpp:348:9
    #4 0x7f5a2768bf63 in Exiv2::TiffImage::readMetadata() /root/karas/exiv2/src/tiffimage.cpp:191:9
    #5 0x525002 in Action::Print::printSummary() /root/karas/exiv2/src/actions.cpp:292:9
    #6 0x524758 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/karas/exiv2/src/actions.cpp:244:44
    #7 0x4f71a7 in main /root/karas/exiv2/src/exiv2.cpp:170:19
    #8 0x7f5a25b6d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x422418 in _start (/root/karas/exiv2/build/bin/exiv2+0x422418)

0x60200000e951 is located 0 bytes to the right of 1-byte region [0x60200000e950,0x60200000e951)
allocated by thread T0 here:
    #0 0x4f3c90 in operator new[](unsigned long) (/root/karas/exiv2/build/bin/exiv2+0x4f3c90)
    #1 0x7f5a274a13fc in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/karas/exiv2/src/image.cpp:464:37
    #2 0x7f5a274a7090 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/karas/exiv2/src/image.cpp:530:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/karas/exiv2/src/iptc.cpp:359:26 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)
Shadow bytes around the buggy address:
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
  0x0c047fff9d30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d60: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d70: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31776==ABORTING

[D4N]

Thanks for the report, the issue should be fixed by #160.

[gy741]

@D4N

Hello.

I checked the patch.

But, I found New bug.

Please confirm.

Thanks.

PoC download : PoC

=================================================================
==15673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e951 at pc 0x7f10afe85977 bp 0x7ffd0d96cbf0 sp 0x7ffd0d96cbe8
READ of size 1 at 0x60200000e951 thread T0
    #0 0x7f10afe85976 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int) /root/karas/exiv2/src/iptc.cpp:359:26
    #1 0x7f10afe5f5dd in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/karas/exiv2/src/image.cpp:474:25
    #2 0x7f10afe653a0 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/karas/exiv2/src/image.cpp:537:13
    #3 0x7f10b005257f in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) /root/karas/exiv2/src/tiffimage.cpp:348:9
    #4 0x7f10b004a253 in Exiv2::TiffImage::readMetadata() /root/karas/exiv2/src/tiffimage.cpp:191:9
    #5 0x525002 in Action::Print::printSummary() /root/karas/exiv2/src/actions.cpp:292:9
    #6 0x524758 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/karas/exiv2/src/actions.cpp:244:44
    #7 0x4f71a7 in main /root/karas/exiv2/src/exiv2.cpp:170:19
    #8 0x7f10ae52b82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x422418 in _start (/root/karas/exiv2/build/bin/exiv2+0x422418)

0x60200000e951 is located 0 bytes to the right of 1-byte region [0x60200000e950,0x60200000e951)
allocated by thread T0 here:
    #0 0x4f3c90 in operator new[](unsigned long) (/root/karas/exiv2/build/bin/exiv2+0x4f3c90)
    #1 0x7f10afe5f4c8 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) /root/karas/exiv2/src/image.cpp:471:37
    #2 0x7f10afe653a0 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) /root/karas/exiv2/src/image.cpp:537:13

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/karas/exiv2/src/iptc.cpp:359:26 in Exiv2::IptcData::printStructure(std::ostream&, unsigned char const*, unsigned long, unsigned int)
Shadow bytes around the buggy address:
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa fd fd
  0x0c047fff9d30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d60: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9d70: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15673==ABORTING

[clanmills]

Can you provide the image in another format, please. I don't know how to decompress a .DMS file on the Mac.

[clanmills]

The file printStructure.dms is an image (it's not a compressed image). The PR disable-printStructure fixes this. However, I haven't added printStructure.dms to the test suite.

I'm 100% defeated by Git and PR disable-printStructure_ which appears to include the totally unrelated PR documentation-update. The PR disable-printStructure breaks the test suite and although I know how to fix the suite on my local machine, I don't know how to submit my fix to master.

[clanmills]

@D4N and @piponazo

Can I ask you to unravel the mess with this issue, PR disable-printStructure and PR documentation-update I feel totally locked out of Exiv2 by GIT. I'm unable to submit anything to the system.

Alison and I are off to weddings in Scotland and Vietnam tomorrow (2017-11-16). We get home on 2017-12-05. I'll answer email while travelling. I'm not going to attempt to interact with GIT. Assuming that disable-printStructure has the effect of stabilising the security of Exiv2, I'll be happy to work in December on publishing v0.27. The website was moved to SVN in September and I can make the release without touching Git.

And then it is time for me to retire. In 2018 I am willing to continue answering user issues about Exiv2 and to help you in any way with the project via email or Slack. However, I am defeated by Git and locked out of http://github.com/exiv2/exiv2

[piponazo]

Hi @gy741 , I was spending some time checking out all the open issues in the project and you are right. The second POC you provided is still making exvi2 crash (when using the sanitizers). However the issue with the first POC is solved.

Our plan is to stop using the printStructure function soon. We'll keep you updated.