You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$./exiv2 POC4
RW2 IMAGE
GDB debugging information is as follows:
(gdb) set args POC4
(gdb) r
...
(gdb) bt
#0 Exiv2::Image::printIFDStructure (this=<optimized out>, io=..., out=..., option=Exiv2::kpsRecursive, start=0,
bSwap=<optimized out>, c=<optimized out>, depth=0) at image.cpp:492
#1 0x00007ffff70b90e1 in Exiv2::Image::printTiffStructure (this=0x611000009dc0, io=..., out=...,
option=Exiv2::kpsRecursive, depth=-1, offset=<optimized out>) at image.cpp:518
#2 0x00007ffff724924c in Exiv2::Rw2Image::printStructure (this=<optimized out>, out=..., option=<optimized out>,
depth=<optimized out>) at rw2image.cpp:115
#3 0x00007ffff724a1dc in Exiv2::Rw2Image::readMetadata (this=<optimized out>) at rw2image.cpp:134
#4 0x0000000000518d8c in Action::Print::printSummary (this=<optimized out>) at actions.cpp:289
#5 0x0000000000518489 in Action::Print::run (this=0x60400000da50, path=...) at actions.cpp:244
#6 0x00000000004e2ebc in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:492,which will result in a infinite loop.
348 do {
349 // Read top of directory
350 io.seek(start,BasicIo::beg);
351 io.read(dir.pData_, 2);
352 uint16_t dirLength = byteSwap2(dir,0,bSwap);
353
354 bool tooBig = dirLength > 500;
355 if ( tooBig ) throw Error(55);
356
357 if ( bFirst && bPrint ) {
359 if ( tooBig ) out << Internal::indent(depth) << "dirLength = " << dirLength << std::endl;
360 }
361
...
491 if ( start ) {
492 io.read(dir.pData_, 4);
493 start = tooBig ? 0 : byteSwap4(dir,0,bSwap);
494 }
495 } while (start) ;
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact [email protected] and [email protected] if you need more info about the team, the tool or the vulnerability.
The text was updated successfully, but these errors were encountered:
I'm forwarding a security vulnerability reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1470913
The file used to reproduce the issue is here:
https://bugzilla.redhat.com/attachment.cgi?id=1298062
(it's a rar archive containing the file used to reproduce the issue)
Here's a copy of the report:
This vulnerability was triggered in Exiv2::Image::printIFDStructure () at image.cpp:492,which will result in a infinite loop.
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact [email protected] and [email protected] if you need more info about the team, the tool or the vulnerability.
The text was updated successfully, but these errors were encountered: