Headline
CVE-2019-14369: AddressSanitizer: heap-buffer-overflow in PngImage::readMetadata() pngimage.cpp:438 · Issue #953 · Exiv2/exiv2
Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 allows attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file.
Describe the bug
in my research , a heap overflow found in Exiv2::readChunk(Exiv2::DataBuf&, Exiv2::BasicIo&) /src/pngimage.cpp:410.
To Reproduce
exiv2 -pv $poc
poc.zip
Expected behavior
=================================================================
==6866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000001b0 at pc 0x7f6fac214733 bp 0x7ffdf4470950 sp 0x7ffdf44700f8
READ of size 8 at 0x6030000001b0 thread T0
#0 0x7f6fac214732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x7f6fab7af723 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 0x7f6fab7af723 in Exiv2::MemIo::read(unsigned char*, unsigned long) /home/tim/exiv2-asan/src/basicio.cpp:1354
#3 0x7f6faba0b142 in Exiv2::readChunk(Exiv2::DataBuf&, Exiv2::BasicIo&) /home/tim/exiv2-asan/src/pngimage.cpp:410
#4 0x7f6faba182f9 in Exiv2::PngImage::readMetadata() /home/tim/exiv2-asan/src/pngimage.cpp:438
#5 0x7f6fab8faa9c in Exiv2::PgfImage::readMetadata() /home/tim/exiv2-asan/src/pgfimage.cpp:153
#6 0x559495100458 in Action::Print::printList() /home/tim/exiv2-asan/src/actions.cpp:483
#7 0x55949510629d in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/tim/exiv2-asan/src/actions.cpp:218
#8 0x55949507e692 in main /home/tim/exiv2-asan/src/exiv2.cpp:77
#9 0x7f6faac58b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#10 0x55949507f359 in _start (/home/tim/exiv2-asan/build/bin/exiv2+0x18359)
0x6030000001b0 is located 2 bytes to the right of 30-byte region [0x603000000190,0x6030000001ae)
allocated by thread T0 here:
#0 0x7f6fac27b618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x7f6fab97f0e3 in Exiv2::DataBuf::DataBuf(unsigned long) /home/tim/exiv2-asan/src/types.cpp:144
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa fd fd fd fd fa fa 00 00 00 06 fa fa fd fd
0x0c067fff8010: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c067fff8020: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x0c067fff8030: fa fa 00 00 00 06[fa]fa 00 00 00 fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6866==ABORTING
Desktop (please complete the following information):
- ubuntu18
- gcc 7.4.0
- -fsanitize=address -g