Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-1000128 - Description | Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser #177

Closed
anarcat opened this issue Nov 23, 2017 · 2 comments
Closed

CVE-2017-1000128 - Description | Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser #177

anarcat opened this issue Nov 23, 2017 · 2 comments
Milestone
v0.27

Comments

@anarcat
Copy link

anarcat commented Nov 23, 2017
edited
Loading

In this discussion, CVE-2017-1000128 was disclosed, a malformed jpeg2000 file causes a (large) out of bounds read.

POC: heap-oob-read.jp2.gz

Stack trace:

==32038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5e099e6838 at pc 0x00000050f22c bp 0x7ffdf7f3dcd0 sp 0x7ffdf7f3d480
READ of size 808464432 at 0x7f5e099e6838 thread T0
    #0 0x50f22b in __asan_memcpy (/r/exiv2/exiv2+0x50f22b)
    #1 0x6e82bc in Exiv2::Jp2Image::readMetadata() /f/exiv2-trunk/src/jp2image.cpp:277:29
    #2 0x59786a in Action::Print::printSummary() /f/exiv2-trunk/src/actions.cpp:289:16
    #3 0x596ef8 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /f/exiv2-trunk/src/actions.cpp:244:44
    #4 0x55fb3f in main /f/exiv2-trunk/src/exiv2.cpp:170:25
    #5 0x7f5e130a71d0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r2/work/glibc-2.24/csu/../csu/libc-start.c:289
    #6 0x468979 in _start (/r/exiv2/exiv2+0x468979)

0x7f5e099e6838 is located 0 bytes to the right of 808452152-byte region [0x7f5dd96e6800,0x7f5e099e6838)
allocated by thread T0 here:
    #0 0x55af00 in operator new[](unsigned long) (/r/exiv2/exiv2+0x55af00)
    #1 0x6e8176 in Exiv2::DataBuf::DataBuf(long) /f/exiv2-trunk/src/../include/exiv2/types.hpp:204:46
    #2 0x6e8176 in Exiv2::Jp2Image::readMetadata() /f/exiv2-trunk/src/jp2image.cpp:273
    #3 0x59786a in Action::Print::printSummary() /f/exiv2-trunk/src/actions.cpp:289:16
    #4 0x596ef8 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /f/exiv2-trunk/src/actions.cpp:244:44
    #5 0x7f5e130a71d0 in
    __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r2/work/glibc-2.24/csu/../csu/libc-start.c:289

This issue is triggered by afl when exiv is compiled with ASAN.
@anarcat anarcat mentioned this issue Nov 23, 2017
Closed
@piponazo
Copy link
Collaborator

I have tested this in the branch I created in #193 , and the overflow does not happen anymore.

We hope to merge that branch soon, but meanwhile, would you mind to double check if you can reproduce the issue checking out that branch ?

@piponazo
Copy link
Collaborator

#193 has been already merged into master.

@clanmills clanmills added this to the v0.27 milestone Nov 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.27
Development

No branches or pull requests
3 participants
@piponazo @clanmills @anarcat