Headline
CVE-2022-24614: A list of bugs found (33 bugs in total) · Issue #561 · drewnoakes/metadata-extractor
When reading a specially crafted JPEG file, metadata-extractor up to 2.16.0 can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against services that use metadata-extractor library.
1. Unique Bugs Found
Recently we (Zhang Cen, Huang Wenjie and Zhang Xiaohan) discovered a series of bugs in latest metadta-extractor (2.16.0).
Every bug we reported in the following is unique and reproducable. We sorted and refined them from thousands of crashes.
Furthermore, they have been manually analyzed and triaged in removing the duplicates.
Due to the lack of contextual knowledge in the metadta-extractor library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.
2. Bug Report and Crash Seeds
The bug report folder can be downloaded from https://drive.google.com/drive/folders/17UpSofkqh1KV1L5yGWzRFOT37LAJgliM?usp=sharing
It contains both reports and crash seeds.
3. Test Program to Reproduce Crashes
The test program can be downloaded from https://drive.google.com/file/d/1TfMaxAUyjuQIwXfQzHT-xUN7f25piqWt/view?usp=sharing
Total 33 bugs are reported in this pull request.
A full list is provided below.
4. Folder Structure
- Level 1 (folder): exception type
- Level 2 (folder): error location
- Level 3 (files): POC file and report.txt including reproducing steps
5. report.txt content:
- Exception type
- Error location
- Bug cause and impact
- Crash thread’s stacks
- Steps to reproduce
6. Bug Full List
metadata-extractor_reported_crashes
├── java.lang.ArithmeticException
│ └── com.drew.metadata.exif.PanasonicRawDistortionDescriptor.getDistortionScaleDescription–PanasonicRawDistortionDescriptor.java-97
├── java.lang.ArrayIndexOutOfBoundsException
│ ├── com.drew.metadata.exif.ExifDescriptorBase.formatCFAPattern–ExifDescriptorBase.java-586
│ └── com.drew.metadata.mp3.Mp3Reader.extract–Mp3Reader.java-96
├── java.lang.IllegalArgumentException
│ ├── com.drew.lang.StreamReader.skip–StreamReader.java-95
│ ├── com.drew.metadata.mov.atoms.FileTypeCompatibilityAtom.–FileTypeCompatibilityAtom.java-46
│ ├── com.drew.metadata.mov.atoms.SampleDescriptionAtom.–SampleDescriptionAtom.java-44
│ └── com.drew.metadata.mov.atoms.TimeToSampleAtom.–TimeToSampleAtom.java-44
├── java.lang.IndexOutOfBoundsException
│ ├── com.drew.metadata.mov.atoms.SoundSampleDescriptionAtom.addMetadata–SoundSampleDescriptionAtom.java-49
│ ├── com.drew.metadata.mov.atoms.SubtitleSampleDescriptionAtom.addMetadata–SubtitleSampleDescriptionAtom.java-75
│ ├── com.drew.metadata.mov.atoms.TextSampleDescriptionAtom.addMetadata–TextSampleDescriptionAtom.java-48
│ ├── com.drew.metadata.mov.atoms.TimecodeSampleDescriptionAtom.addMetadata–TimecodeSampleDescriptionAtom.java-48
│ ├── com.drew.metadata.mov.atoms.TimeToSampleAtom.addMetadata–TimeToSampleAtom.java-64
│ ├── com.drew.metadata.mov.atoms.VideoSampleDescriptionAtom.addMetadata–VideoSampleDescriptionAtom.java-49
│ └── com.drew.metadata.mov.metadata.QuickTimeDataHandler.processData–QuickTimeDataHandler.java-105
├── java.lang.NegativeArraySizeException
│ ├── com.drew.lang.SequentialByteArrayReader.getBytes–SequentialByteArrayReader.java-77
│ ├── com.drew.lang.SequentialReader.getNullTerminatedBytes–SequentialReader.java-374
│ └── com.drew.lang.StreamReader.getBytes–StreamReader.java-71
├── java.lang.NullPointerException
│ ├── com.drew.imaging.quicktime.QuickTimeHandler.addError–QuickTimeHandler.java-63
│ ├── com.drew.metadata.Directory.setString–Directory.java-287
│ ├── com.drew.metadata.Metadata.getFirstDirectoryOfType–Metadata.java-101
│ ├── com.drew.metadata.mov.atoms.SubtitleSampleDescriptionAtom.addMetadata–SubtitleSampleDescriptionAtom.java-77
│ ├── com.drew.metadata.mov.atoms.TimeToSampleAtom.addMetadata–TimeToSampleAtom.java-64
│ ├── com.drew.metadata.mov.media.QuickTimeSoundHandler.processTimeToSample–QuickTimeSoundHandler.java-73
│ ├── com.drew.metadata.mov.metadata.QuickTimeDirectoryHandler.processData–QuickTimeDirectoryHandler.java-88
│ ├── com.drew.metadata.mov.QuickTimeMediaHandler.–QuickTimeMediaHandler.java-48
│ ├── com.drew.metadata.mp4.boxes.TimeToSampleBox.addMetadata–TimeToSampleBox.java-58
│ └── com.drew.metadata.mp4.boxes.TimeToSampleBox.addMetadata–TimeToSampleBox.java-65
├── java.lang.OutOfMemoryError
│ ├── com.drew.lang.SequentialByteArrayReader.getBytes–SequentialByteArrayReader.java-77
│ ├── com.drew.lang.SequentialReader.getNullTerminatedBytes–SequentialReader.java-374
│ └── com.drew.lang.StreamReader.getBytes–StreamReader.java-71
└── java.lang.StringIndexOutOfBoundsException
├── com.drew.metadata.exif.ExifTiffHandler.processPrintIM–ExifTiffHandler.java-733
├── com.drew.metadata.icc.IccDescriptor.getTagDataString–IccDescriptor.java-196
└── com.drew.metadata.icc.IccDescriptor.getTagDataString–IccDescriptor.java-94
Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.
Feel free to contact me at [email protected]