Headline
CVE-2023-23082: ExifParser: Fix several out of bounds accesses while parsing exif information by fritsch · Pull Request #22380 · xbmc/xbmc
A heap buffer overflow vulnerability in Kodi Home Theater Software up to 19.5 allows attackers to cause a denial of service due to an improper length of the value passed to the offset argument.
Several drafted images could crash kodi. This was tested with memory, address sanitizers enabled.
cmake -DENABLE_VAAPI=1 -DCORE_PLATFORM_NAME=wayland -DCMAKE_BUILD_TYPE=Debug -DAPP_RENDER_SYSTEM=gl -DECM_ENABLE_SANITIZERS=address,memory
Example Output:
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fritsch/Desktop/xbmc-fritsch/xbmc/build/kodi-wayland+0x3dca321) in CExifParse::Get32(void const*, bool)
Shadow bytes around the buggy address:
0x0c3c8004e070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c8004e080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c8004e090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c8004e0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c8004e0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c8004e0c0: 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa fa
0x0c3c8004e0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c8004e0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c8004e0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c8004e100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c8004e110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==824657==ABORTING
via: https://paste.kodi.tv/kagukejefa.kodi
The issues were long fixed upstream: https://android.googlesource.com/platform/external/jhead/+/2a4c12f5e5808e309b9ba04fe8b1539debf466d1
Kodi should remove the copied libexif code and use jhead directly.
This fixes: #22377
Related news
A heap buffer overflow vulnerability in Kodi Home Theater Software up to 19.5 allows attackers to cause a denial of service due to an improper length of the value passed to the offset argument.