Headline
CVE-2019-17402: Overflow in exiv2 · Issue #1019 · Exiv2/exiv2
Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.
We found vulnerability in exiv2 binary and exiv2 is complied with clang enabling ASAN.
Machine : Ubuntu 16.04.3 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11)
Commit : 401e658
exiv2 : 0.27.99.0
Command : exiv2 -pv $POC
fuzzer@fuzzer:~/victim/exiv2/build/bin$ ./exiv2 -pv POC
=================================================================
==16699==ERROR: AddressSanitizer: unknown-crash on address 0x7f9a857b7143 at pc 0x7f9a84dcc1db bp 0x7ffcb8c7b650 sp 0x7ffcb8c7b648
READ of size 1 at 0x7f9a857b7143 thread T0
#0 0x7f9a84dcc1da in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/types.cpp:289:28
#1 0x7f9a84ebd4c4 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:285:22
#2 0x7f9a84ebd84e in Exiv2::Internal::CiffComponent::read(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:231:9
#3 0x7f9a84ebd84e in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) /home/fuzzer/victim/exiv2/src/crwimage_int.cpp:305
#4 0x7f9a84c5c29d in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) /home/fuzzer/victim/exiv2/src/crwimage.cpp:150:9
#5 0x7f9a84c5afa0 in Exiv2::CrwImage::readMetadata() /home/fuzzer/victim/exiv2/src/crwimage.cpp:107:9
#6 0x589421 in Action::Print::printList() /home/fuzzer/victim/exiv2/src/actions.cpp:483:9
#7 0x57c1df in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/fuzzer/victim/exiv2/src/actions.cpp:218:26
#8 0x4f4c5f in main /home/fuzzer/victim/exiv2/src/exiv2.cpp:77:23
#9 0x7f9a836be82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41ff38 in _start (/home/fuzzer/victim/exiv2/build/bin/exiv2+0x41ff38)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /home/fuzzer/victim/exiv2/src/types.cpp:289:28 in Exiv2::getULong(unsigned char const*, Exiv2::ByteOrder)
Shadow bytes around the buggy address:
0x0ff3d0aeedd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3d0aeede0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3d0aeedf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff3d0aeee00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0ff3d0aeee10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0ff3d0aeee20: fe fe fe fe fe fe fe fe[fe]fe fe fe fe fe fe fe
0x0ff3d0aeee30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0ff3d0aeee40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0ff3d0aeee50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0ff3d0aeee60: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
0x0ff3d0aeee70: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16699==ABORTING
fuzzer@fuzzer:~/victim/exiv2/build/bin$