Bug#781123: libexiv2-13: buffer overflow in RIFF video parser

Jakub Wilk Tue, 24 Mar 2015 13:48:48 -0700

Package: libexiv2-13
Version: 0.24-4.1
Tags: security
Usertags: afl


Exiv2 crashes on the attached file:

$ exiv2 pr crash.riff
*** Error in `exiv2': double free or corruption (!prev): 0x09669910 ***
Aborted


Valgrind says it's a buffer overflow:

==5509== Invalid write of size 4
==5509==    at 0x452BD6C: __GI_mempcpy (mempcpy.S:54)
==5509==    by 0x451E307: _IO_file_xsgetn (fileops.c:1388)
==5509==    by 0x45200B7: _IO_sgetn (genops.c:495)
==5509==    by 0x4513998: fread (iofread.c:42)
==5509==    by 0x40AF816: fread (stdio2.h:295)
==5509==    by 0x40AF816: Exiv2::FileIo::read(unsigned char*, long) 
(basicio.cpp:941)
==5509==    by 0x415B513: Exiv2::RiffVideo::dateTimeOriginal(long, int) 
(riffvideo.cpp:695)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, 
unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) 
(actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)
==5509==  Address 0x46b6081 is 97 bytes inside a block of size 100 alloc'd
==5509==    at 0x4029DFC: operator new[](unsigned int) (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==5509==    by 0x415B4F9: DataBuf (types.hpp:199)
==5509==    by 0x415B4F9: Exiv2::RiffVideo::dateTimeOriginal(long, int) 
(riffvideo.cpp:694)
==5509==    by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, 
unsigned long) (riffvideo.cpp:611)
==5509==    by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574)
==5509==    by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549)
==5509==    by 0x805F61F: Action::Print::printSummary() (actions.cpp:258)
==5509==    by 0x8061AFC: Action::Print::run(std::string const&) 
(actions.cpp:236)
==5509==    by 0x804C3D0: main (exiv2.cpp:171)


This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
(available in Debian experimental)


-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libexiv2-13:i386 depends on:
ii  libc6              2.19-17
ii  libexpat1          2.1.0-6+b3
ii  libgcc1            1:5-20150321-1
ii  libstdc++6         5-20150321-1
ii  multiarch-support  2.19-17
ii  zlib1g             1:1.2.8.dfsg-2+b1

Versions of packages libexiv2-13:i386 suggests:
ii  exiv2  0.24-4.1

--
Jakub Wilk

crash.riff
Description: video/riff

Bug#781123: libexiv2-13: buffer overflow in RIFF video parser

Reply via email to