Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

assertion failure in TiffDirectory::doWriteImage #1847

Closed
kevinbackhouse opened this issue Aug 5, 2021 · 0 comments · Fixed by #1848
Closed

assertion failure in TiffDirectory::doWriteImage #1847

kevinbackhouse opened this issue Aug 5, 2021 · 0 comments · Fixed by #1848
Milestone
v0.27.5

Comments

@kevinbackhouse
Copy link
Collaborator

This one is like #1833, because I am only able to reproduce it with the fuzzer.

Reproduction steps (main branch):

mkdir build-fuzz
cd build-fuzz
cmake -DCMAKE_BUILD_TYPE=Debug -DEXIV2_ENABLE_PNG=ON -DEXIV2_ENABLE_WEBREADY=ON -DEXIV2_ENABLE_CURL=ON -DEXIV2_ENABLE_BMFF=ON -DEXIV2_TEAM_WARNINGS_AS_ERRORS=ON -DCMAKE_CXX_COMPILER=$(which clang++) -DEXIV2_BUILD_FUZZ_TESTS=ON -DEXIV2_TEAM_USE_SANITIZERS=ON ..
make -j $(nproc)
./bin/fuzz-read-print-write poc.jpg

poc: poc

output:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2316516359
INFO: Loaded 2 modules   (44015 inline 8-bit counters): 43967 [0x7f6be23abfb0, 0x7f6be23b6b6f), 48 [0x4f2140, 0x4f2170), 
INFO: Loaded 2 PC tables (44015 PCs): 43967 [0x7f6be23b6b70,0x7f6be2462760), 48 [0x4c6d50,0x4c7050), 
./bin/fuzz-read-print-write: Running 1 inputs 1 time(s) each.
Running: poc.jpg
fuzz-read-print-write: /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1543: virtual uint32_t Exiv2::Internal::TiffDirectory::doWriteImage(Exiv2::Internal::IoWrapper &, Exiv2::ByteOrder) const: Assertion `pSubIfd == 0' failed.
==3876184== ERROR: libFuzzer: deadly signal
    #0 0x4b2a30 in __sanitizer_print_stack_trace (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x4b2a30)
    #1 0x45cbc8 in fuzzer::PrintStackTrace() (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x45cbc8)
    #2 0x441c53 in fuzzer::Fuzzer::CrashCallback() (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x441c53)
    #3 0x7f6be1b531ef  (/lib/x86_64-linux-gnu/libpthread.so.0+0x141ef)
    #4 0x7f6be1964fba in __libc_signal_restore_set signal/../sysdeps/unix/sysv/linux/internal-signals.h:105:3
    #5 0x7f6be1964fba in raise signal/../sysdeps/unix/sysv/linux/raise.c:47:3
    #6 0x7f6be194a863 in abort stdlib/abort.c:79:7
    #7 0x7f6be194a748 in __assert_fail_base assert/assert.c:92:3
    #8 0x7f6be195c3d5 in __assert_fail assert/assert.c:101:3
    #9 0x7f6be2169fff in Exiv2::Internal::TiffDirectory::doWriteImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1543:17
    #10 0x7f6be21666fb in Exiv2::Internal::TiffComponent::writeImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1532:16
    #11 0x7f6be216a228 in Exiv2::Internal::TiffSubIfd::doWriteImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1569:25
    #12 0x7f6be21666fb in Exiv2::Internal::TiffComponent::writeImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1532:16
    #13 0x7f6be216a034 in Exiv2::Internal::TiffDirectory::doWriteImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1547:31
    #14 0x7f6be21666fb in Exiv2::Internal::TiffComponent::writeImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1532:16
    #15 0x7f6be216a228 in Exiv2::Internal::TiffSubIfd::doWriteImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1569:25
    #16 0x7f6be21666fb in Exiv2::Internal::TiffComponent::writeImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1532:16
    #17 0x7f6be216a034 in Exiv2::Internal::TiffDirectory::doWriteImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1547:31
    #18 0x7f6be21666fb in Exiv2::Internal::TiffComponent::writeImage(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder) const /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1532:16
    #19 0x7f6be2165dee in Exiv2::Internal::TiffDirectory::doWrite(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1180:20
    #20 0x7f6be216510e in Exiv2::Internal::TiffComponent::write(Exiv2::Internal::IoWrapper&, Exiv2::ByteOrder, int, unsigned int, unsigned int, unsigned int&) /home/kev/work/exiv2/src/tiffcomposite_int.cpp:1055:16
    #21 0x7f6be21872a1 in Exiv2::Internal::TiffParserWorker::encode(Exiv2::BasicIo&, unsigned char const*, unsigned int, Exiv2::ExifData const&, Exiv2::IptcData const&, Exiv2::XmpData const&, unsigned int, void (Exiv2::Internal::TiffEncoder::* (*)(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase*, Exiv2::Exifdatum const*), Exiv2::Internal::TiffHeaderBase*, Exiv2::Internal::OffsetWriter*) /home/kev/work/exiv2/src/tiffimage_int.cpp:1934:26
    #22 0x7f6be1f4364b in Exiv2::ExifParser::encode(std::vector<unsigned char, std::allocator<unsigned char> >&, unsigned char const*, unsigned int, Exiv2::ByteOrder, Exiv2::ExifData const&) /home/kev/work/exiv2/src/exif.cpp:751:26
    #23 0x7f6be1fb89b1 in Exiv2::JpegBase::doWriteMetadata(Exiv2::BasicIo&) /home/kev/work/exiv2/src/jpgimage.cpp:1063:38
    #24 0x7f6be1fb68e7 in Exiv2::JpegBase::writeMetadata() /home/kev/work/exiv2/src/jpgimage.cpp:873:9
    #25 0x4b4674 in LLVMFuzzerTestOneInput /home/kev/work/exiv2/fuzz/fuzz-read-print-write.cpp:35:12
    #26 0x4433f1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x4433f1)
    #27 0x42d0a2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x42d0a2)
    #28 0x433410 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x433410)
    #29 0x45d3a2 in main (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x45d3a2)
    #30 0x7f6be194c564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #31 0x407bbd in _start (/home/kev/work/exiv2/build-fuzz-debug/bin/fuzz-read-print-write+0x407bbd)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

The assertion failure is at tiffcomposite_int.cpp, line 1575.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.27.5
Development

Successfully merging a pull request may close this issue.

Replace assertion with an error message kevinbackhouse/exiv2
1 participant
@kevinbackhouse