Bug #1305

Segmentation fault on certain image

Added by Oleg Antonyan 4 months ago. Updated 2 months ago.

Status:ClosedStart date:28 Jul 2017
Priority:NormalDue date:
Assignee:Robin Mills% Done:

100%

Category:miscellaneousEstimated time:8.00 hours
Target version:v0.26.1

Description

Originally discovered in Gwenview wich uses libexiv2 https://bugs.kde.org/show_bug.cgi?id=382842
The problematic image attached.

libexiv2 0.26 openSUSE Tumbleweed 64 bit

Thread 1 "gwenview" received signal SIGSEGV, Segmentation fault.
0x00007ffff180fb5f in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /usr/lib64/libexiv2.so.26
(gdb) bt
#0 0x00007ffff180fb5f in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /usr/lib64/libexiv2.so.26
#1 0x00007ffff18556a1 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) ()
from /usr/lib64/libexiv2.so.26
#2 0x00007ffff746c0cf in ?? () from /usr/lib64/libgwenviewlib.so.5
#3 0x00007ffff7468b89 in Gwenview::ImageMetaInfoModel::setExiv2Image(Exiv2::Image const*) () from /usr/lib64/libgwenviewlib.so.5
#4 0x00007ffff74207b7 in Gwenview::Document::setExiv2Image(std::auto_ptr<Exiv2::Image>) () from /usr/lib64/libgwenviewlib.so.5
#5 0x00007ffff741f7d1 in ?? () from /usr/lib64/libgwenviewlib.so.5
#6 0x00007ffff742fa11 in ?? () from /usr/lib64/libgwenviewlib.so.5
#7 0x00007ffff3a7645a in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib64/libQt5Core.so.5
#8 0x00007ffff3873103 in QFutureWatcherBase::event(QEvent*) () from /usr/lib64/libQt5Core.so.5
#9 0x00007ffff4f0a93c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib64/libQt5Widgets.so.5
#10 0x00007ffff4f11cb4 in QApplication::notify(QObject*, QEvent*) () from /usr/lib64/libQt5Widgets.so.5
#11 0x00007ffff3a48f28 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib64/libQt5Core.so.5
#12 0x00007ffff3a4b515 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib64/libQt5Core.so.5
#13 0x00007ffff3a9f373 in postEventSourceDispatch(_GSource*, int ()(void), void*) () from /usr/lib64/libQt5Core.so.5
#14 0x00007fffec763b57 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#15 0x00007fffec763d88 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007fffec763e1c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff3a9e9ef in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#18 0x00007ffff3a4753a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#19 0x00007ffff3a4fdc4 in QCoreApplication::exec() () from /usr/lib64/libQt5Core.so.5
#20 0x0000555555588189 in ?? ()
#21 0x00007ffff30bc46a in __libc_start_main () from /lib64/libc.so.6
#22 0x000055555558854a in _start ()

IMGP0006.JPG - Problematic image (175 KB) Oleg Antonyan, 28 Jul 2017 11:17

IMGP0006-min.jpg (12.1 KB) Henri Salo, 29 Jul 2017 12:00

IMGP0006-min.jpg (12.1 KB) Henri Salo, 29 Jul 2017 12:01

History

#1 Updated by Robin Mills 4 months ago

  • Category set to not-a-bug
  • Status changed from New to Assigned
  • Assignee set to Robin Mills
  • Target version set to v0.26.1
  • % Done changed from 0 to 100
  • Estimated time set to 1.00

I can't reproduce this with the exiv2(.exe) command line program on MacOS-X.

506 rmills@rmillsmbp:~/gnu/exiv2/0.26 $ exiv2 -pa ~/Downloads/IMGP0006.JPG 
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
Exif.Image.Make                              Ascii      19  PENTAX Corporation
Exif.Image.Model                             Ascii      17  PENTAX Optio M50
...
Exif.Thumbnail.XResolution                   Rational    1  72
Exif.Thumbnail.YResolution                   Rational    1  72
Exif.Thumbnail.ResolutionUnit                Short       1  inch
Exif.Thumbnail.JPEGInterchangeFormat         Long        1  5520
Exif.Thumbnail.JPEGInterchangeFormatLength   Long        1  7564
507 rmills@rmillsmbp:~/gnu/exiv2/0.26 $

#2 Updated by Henri Salo 4 months ago

With version 0.26 from http://exiv2.org/builds/exiv2-0.26-trunk.tar.gz

Build with: DFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -ggdb -fno-omit-frame-pointer" ./configure --enable-video --enable-webready

This file causes heap buffer overflow when executed using flag -pa. Without -pa flag no heap buffer overflow is detected.

258d54d0745e9958eb803da602cc45363f06dd3b7e37268f1dd18c1e20fdd860 IMGP0006.JPG
c3f8acd2496fc8f80ad6f730e363eb6ddfffe77353d31440047a0ee768069c2b IMGP0006-min.jpg

I have attached minimized sample file (using afl-2.49b/afl-tmin).

ASAn output is below:

afl@haiven2:~/exiv2-crashes$ ~/builds/exiv2/0.26-afl-asan/bin/exiv2 -pa IMGP0006.JPG
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
Exif.Image.Make Ascii 19 PENTAX Corporation
Exif.Image.Model Ascii 17 PENTAX Optio M50
Exif.Image.Orientation Short 1 top, left
Exif.Image.XResolution Rational 1 72
Exif.Image.YResolution Rational 1 72
Exif.Image.ResolutionUnit Short 1 inch
Exif.Image.Software Ascii 12 GIMP 2.8.22
Exif.Image.DateTime Ascii 20 2017:07:27 20:49:15
Exif.Image.YCbCrPositioning Short 1 Co-sited
Exif.Image.ExifTag Long 1 582
Exif.Photo.ExposureTime Rational 1 1/25 s
Exif.Photo.FNumber Rational 1 F3.5
Exif.Photo.ISOSpeedRatings Short 1 800
Exif.Photo.ExifVersion Undefined 4 2.20
Exif.Photo.DateTimeOriginal Ascii 20 2008:01:01 00:00:45
Exif.Photo.DateTimeDigitized Ascii 20 2008:01:01 00:00:45
Exif.Photo.ComponentsConfiguration Undefined 4 YCbCr
Exif.Photo.CompressedBitsPerPixel Rational 1 1
Exif.Photo.ExposureBiasValue SRational 1 0 EV
Exif.Photo.MaxApertureValue Rational 1 F3.5
Exif.Photo.MeteringMode Short 1 Multi-segment
Exif.Photo.Flash Short 1 No, compulsory
Exif.Photo.FocalLength Rational 1 6.3 mm
Exif.Photo.MakerNote Undefined 4364 (Binary value suppressed)
Exif.MakerNote.Offset Long 1 1024
Exif.MakerNote.ByteOrder Ascii 3 II
Exif.Pentax.Version Byte 4 4.2.0.0
Exif.Pentax.Mode Short 1 Manual
Exif.Pentax.PreviewResolution Short 2 640x480
Exif.Pentax.PreviewLength Long 1 38648
Exif.Pentax.PreviewOffset Long 1 15933
Exif.Pentax.ModelID Long 1 Optio M50
Exif.Pentax.Date Undefined 4 2008:01:01
Exif.Pentax.Time Undefined 3 00:00:45
Exif.Pentax.Quality Short 1 Better
Exif.Pentax.Size Short 1 3264x2448
Exif.Pentax.Flash Short 1 Off, Did not fire
Exif.Pentax.Focus Short 1 Macro
Exif.Pentax.AFPoint Short 1 Auto
Exif.Pentax.AFPointInFocus Short 1 Top-left
Exif.Pentax.ExposureTime Long 1 38.97 ms
Exif.Pentax.FNumber Short 1 F3.5
Exif.Pentax.ISO Short 1 800
Exif.Pentax.ExposureCompensation Short 1 0 EV
Exif.Pentax.MeteringMode Short 1 Multi Segment
Exif.Pentax.WhiteBalance Short 1 Auto
Exif.Pentax.WhiteBalanceMode Short 1 Auto (Flash)
Exif.Pentax.BlueBalance Short 1 469
Exif.Pentax.RedBalance Short 1 401
Exif.Pentax.FocalLength Long 1 6.3 mm
Exif.Pentax.DigitalZoom Short 1 100
Exif.Pentax.Saturation Short 1 Normal
Exif.Pentax.Contrast Short 1 Normal
Exif.Pentax.Sharpness Short 1 Normal
Exif.Pentax.Location Short 1 Home town
Exif.Pentax.Hometown Short 1 New York
Exif.Pentax.Destination Short 1 New York
Exif.Pentax.HometownDST Short 1 No
Exif.Pentax.DestinationDST Short 1 No
Exif.Pentax.DSPFirmwareVersion Undefined 4 254 255 255 255
Exif.Pentax.ImageProcessing Undefined 4 Unprocessed
Exif.Pentax.DigitalFilter Short 1 Off =================================================================
12028ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000077b4 at pc 0x7fe2167a3708 bp 0x7ffcd49ceea0 sp 0x7ffcd49cee98
READ of size 4 at 0x6020000077b4 thread T0
#0 0x7fe2167a3707 in Exiv2::ValueType<unsigned int>::toLong(long) const ../include/exiv2/value.hpp:1659
#1 0x7fe2169d5b42 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) /home/afl/src/exiv2-trunk/src/pentaxmn.cpp:1193
#2 0x7fe21692bde7 in Exiv2::Metadatum::print(Exiv2::ExifData const*) const /home/afl/src/exiv2-trunk/src/metadatum.cpp:80
#3 0x46beaa in Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:757
#4 0x4721e6 in Action::Print::printMetadata(Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:549
#5 0x472e01 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:538
#6 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#7 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#8 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x408cd9 (/home/afl/builds/exiv2/0.26-afl-asan/bin/exiv2+0x408cd9)

0x6020000077b4 is located 0 bytes to the right of 4-byte region [0x6020000077b0,0x6020000077b4)
allocated by thread T0 here:
#0 0x7fe2178b5fff in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54fff)
#1 0x7fe2167a9efa in _gnu_cxx::new_allocator<unsigned int>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x7fe2167a9efa in __gnu_cxx::
_alloc_traits<std::allocator<unsigned int> >::allocate(std::allocator<unsigned int>&, unsigned long) /usr/include/c++/4.9/ext/alloc_traits.h:182
#3 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#5 0x7fe2167a9efa in Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#6 0x7fe2167a9efa in vector /usr/include/c++/4.9/bits/stl_vector.h:320
#7 0x7fe2167a9efa in ValueType ../include/exiv2/value.hpp:1544
#8 0x7fe2167a9efa in Exiv2::ValueType<unsigned int>::clone
() const ../include/exiv2/value.hpp:1632
#9 0x7fe21681abf4 in Exiv2::Value::clone() const ../include/exiv2/value.hpp:122
#10 0x7fe21681abf4 in Exiv2::Exifdatum::Exifdatum(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:221
#11 0x7fe21681cae3 in __gnu_cxx::new_allocator<Exiv2::Exifdatum>::construct(Exiv2::Exifdatum*, Exiv2::Exifdatum const&) /usr/include/c++/4.9/ext/new_allocator.h:130
#12 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_create_node(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:496
#13 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_insert(std::_List_iterator<Exiv2::Exifdatum>, Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1680
#14 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::push_back(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1029
#15 0x7fe21681cae3 in Exiv2::ExifData::add(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:577
#16 0x7fe21681cb8c in Exiv2::ExifData::add(Exiv2::ExifKey const&, Exiv2::Value const*) /home/afl/src/exiv2-trunk/src/exif.cpp:571
#17 0x7fe216b9f6c1 in Exiv2::Internal::TiffDecoder::decodeStdTiffEntry(Exiv2::Internal::TiffEntryBase const*) /home/afl/src/exiv2-trunk/src/tiffvisitor.cpp:488
#18 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#19 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#20 0x7fe216af7520 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#21 0x7fe216af7520 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:949
#22 0x7fe216af6821 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#23 0x7fe216af6821 in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:938
#24 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#25 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#26 0x7fe216af594d in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#27 0x7fe216af594d in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:931
#28 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#29 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#30 0x7fe216b5f20b in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*()(std::string const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const), Exiv2::Internal::TiffHeaderBase*) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:1907
#31 0x7fe216b5f20b in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:266
#32 0x7fe21681f83a in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/exif.cpp:629
#33 0x7fe2168ef0fc in Exiv2::JpegBase::readMetadata() /home/afl/src/exiv2-trunk/src/jpgimage.cpp:386
#34 0x472d11 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:530
#35 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#36 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#37 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../include/exiv2/value.hpp:1659 Exiv2::ValueType<unsigned int>::toLong(long) const
Shadow bytes around the buggy address:
0x0c047fff8ea0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8eb0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ec0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ed0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ee0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8ef0: fa fa fd fd fa fa04fa fa fa 00 00 fa fa fd fa
0x0c047fff8f00: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f10: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f20: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f30: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f40: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
12028ABORTING

#3 Updated by Henri Salo 4 months ago

With version 0.26 from http://exiv2.org/builds/exiv2-0.26-trunk.tar.gz

Build with: DFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -ggdb -fno-omit-frame-pointer" ./configure --enable-video --enable-webready

This file causes heap buffer overflow when executed using flag -pa. Without -pa flag no heap buffer overflow is detected.

258d54d0745e9958eb803da602cc45363f06dd3b7e37268f1dd18c1e20fdd860 IMGP0006.JPG
c3f8acd2496fc8f80ad6f730e363eb6ddfffe77353d31440047a0ee768069c2b IMGP0006-min.jpg

I have attached minimized sample file (using afl-2.49b/afl-tmin).

ASAn output is below:

afl@haiven2:~/exiv2-crashes$ ~/builds/exiv2/0.26-afl-asan/bin/exiv2 -pa IMGP0006.JPG 
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
Exif.Image.Make                              Ascii      19  PENTAX Corporation
Exif.Image.Model                             Ascii      17  PENTAX Optio M50
Exif.Image.Orientation                       Short       1  top, left
Exif.Image.XResolution                       Rational    1  72
Exif.Image.YResolution                       Rational    1  72
Exif.Image.ResolutionUnit                    Short       1  inch
Exif.Image.Software                          Ascii      12  GIMP 2.8.22
Exif.Image.DateTime                          Ascii      20  2017:07:27 20:49:15
Exif.Image.YCbCrPositioning                  Short       1  Co-sited
Exif.Image.ExifTag                           Long        1  582
Exif.Photo.ExposureTime                      Rational    1  1/25 s
Exif.Photo.FNumber                           Rational    1  F3.5
Exif.Photo.ISOSpeedRatings                   Short       1  800
Exif.Photo.ExifVersion                       Undefined   4  2.20
Exif.Photo.DateTimeOriginal                  Ascii      20  2008:01:01 00:00:45
Exif.Photo.DateTimeDigitized                 Ascii      20  2008:01:01 00:00:45
Exif.Photo.ComponentsConfiguration           Undefined   4  YCbCr
Exif.Photo.CompressedBitsPerPixel            Rational    1  1
Exif.Photo.ExposureBiasValue                 SRational   1  0 EV
Exif.Photo.MaxApertureValue                  Rational    1  F3.5
Exif.Photo.MeteringMode                      Short       1  Multi-segment
Exif.Photo.Flash                             Short       1  No, compulsory
Exif.Photo.FocalLength                       Rational    1  6.3 mm
Exif.Photo.MakerNote                         Undefined 4364  (Binary value suppressed)
Exif.MakerNote.Offset                        Long        1  1024
Exif.MakerNote.ByteOrder                     Ascii       3  II
Exif.Pentax.Version                          Byte        4  4.2.0.0
Exif.Pentax.Mode                             Short       1  Manual
Exif.Pentax.PreviewResolution                Short       2  640x480
Exif.Pentax.PreviewLength                    Long        1  38648
Exif.Pentax.PreviewOffset                    Long        1  15933
Exif.Pentax.ModelID                          Long        1  Optio M50
Exif.Pentax.Date                             Undefined   4  2008:01:01
Exif.Pentax.Time                             Undefined   3  00:00:45
Exif.Pentax.Quality                          Short       1  Better
Exif.Pentax.Size                             Short       1  3264x2448
Exif.Pentax.Flash                            Short       1  Off, Did not fire
Exif.Pentax.Focus                            Short       1  Macro
Exif.Pentax.AFPoint                          Short       1  Auto
Exif.Pentax.AFPointInFocus                   Short       1  Top-left
Exif.Pentax.ExposureTime                     Long        1  38.97 ms
Exif.Pentax.FNumber                          Short       1  F3.5
Exif.Pentax.ISO                              Short       1  800
Exif.Pentax.ExposureCompensation             Short       1  0 EV
Exif.Pentax.MeteringMode                     Short       1  Multi Segment
Exif.Pentax.WhiteBalance                     Short       1  Auto
Exif.Pentax.WhiteBalanceMode                 Short       1  Auto (Flash)
Exif.Pentax.BlueBalance                      Short       1  469
Exif.Pentax.RedBalance                       Short       1  401
Exif.Pentax.FocalLength                      Long        1  6.3 mm
Exif.Pentax.DigitalZoom                      Short       1  100
Exif.Pentax.Saturation                       Short       1  Normal
Exif.Pentax.Contrast                         Short       1  Normal
Exif.Pentax.Sharpness                        Short       1  Normal
Exif.Pentax.Location                         Short       1  Home town
Exif.Pentax.Hometown                         Short       1  New York
Exif.Pentax.Destination                      Short       1  New York
Exif.Pentax.HometownDST                      Short       1  No
Exif.Pentax.DestinationDST                   Short       1  No
Exif.Pentax.DSPFirmwareVersion               Undefined   4  254 255 255 255
Exif.Pentax.ImageProcessing                  Undefined   4  Unprocessed
Exif.Pentax.DigitalFilter                    Short       1  Off
=================================================================
==12028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000077b4 at pc 0x7fe2167a3708 bp 0x7ffcd49ceea0 sp 0x7ffcd49cee98
READ of size 4 at 0x6020000077b4 thread T0
    #0 0x7fe2167a3707 in Exiv2::ValueType<unsigned int>::toLong(long) const ../include/exiv2/value.hpp:1659
    #1 0x7fe2169d5b42 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) /home/afl/src/exiv2-trunk/src/pentaxmn.cpp:1193
    #2 0x7fe21692bde7 in Exiv2::Metadatum::print(Exiv2::ExifData const*) const /home/afl/src/exiv2-trunk/src/metadatum.cpp:80
    #3 0x46beaa in Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:757
    #4 0x4721e6 in Action::Print::printMetadata(Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:549
    #5 0x472e01 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:538
    #6 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
    #7 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
    #8 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #9 0x408cd9 (/home/afl/builds/exiv2/0.26-afl-asan/bin/exiv2+0x408cd9)

0x6020000077b4 is located 0 bytes to the right of 4-byte region [0x6020000077b0,0x6020000077b4)
allocated by thread T0 here:
    #0 0x7fe2178b5fff in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54fff)
    #1 0x7fe2167a9efa in __gnu_cxx::new_allocator<unsigned int>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
    #2 0x7fe2167a9efa in __gnu_cxx::__alloc_traits<std::allocator<unsigned int> >::allocate(std::allocator<unsigned int>&, unsigned long) /usr/include/c++/4.9/ext/alloc_traits.h:182
    #3 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
    #4 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
    #5 0x7fe2167a9efa in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
    #6 0x7fe2167a9efa in vector /usr/include/c++/4.9/bits/stl_vector.h:320
    #7 0x7fe2167a9efa in ValueType ../include/exiv2/value.hpp:1544
    #8 0x7fe2167a9efa in Exiv2::ValueType<unsigned int>::clone_() const ../include/exiv2/value.hpp:1632
    #9 0x7fe21681abf4 in Exiv2::Value::clone() const ../include/exiv2/value.hpp:122
    #10 0x7fe21681abf4 in Exiv2::Exifdatum::Exifdatum(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:221
    #11 0x7fe21681cae3 in __gnu_cxx::new_allocator<Exiv2::Exifdatum>::construct(Exiv2::Exifdatum*, Exiv2::Exifdatum const&) /usr/include/c++/4.9/ext/new_allocator.h:130
    #12 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_create_node(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:496
    #13 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_insert(std::_List_iterator<Exiv2::Exifdatum>, Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1680
    #14 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::push_back(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1029
    #15 0x7fe21681cae3 in Exiv2::ExifData::add(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:577
    #16 0x7fe21681cb8c in Exiv2::ExifData::add(Exiv2::ExifKey const&, Exiv2::Value const*) /home/afl/src/exiv2-trunk/src/exif.cpp:571
    #17 0x7fe216b9f6c1 in Exiv2::Internal::TiffDecoder::decodeStdTiffEntry(Exiv2::Internal::TiffEntryBase const*) /home/afl/src/exiv2-trunk/src/tiffvisitor.cpp:488
    #18 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #19 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
    #20 0x7fe216af7520 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #21 0x7fe216af7520 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:949
    #22 0x7fe216af6821 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #23 0x7fe216af6821 in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:938
    #24 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #25 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
    #26 0x7fe216af594d in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #27 0x7fe216af594d in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:931
    #28 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
    #29 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
    #30 0x7fe216b5f20b in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::string const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:1907
    #31 0x7fe216b5f20b in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:266
    #32 0x7fe21681f83a in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/exif.cpp:629
    #33 0x7fe2168ef0fc in Exiv2::JpegBase::readMetadata() /home/afl/src/exiv2-trunk/src/jpgimage.cpp:386
    #34 0x472d11 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:530
    #35 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
    #36 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
    #37 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../include/exiv2/value.hpp:1659 Exiv2::ValueType<unsigned int>::toLong(long) const
Shadow bytes around the buggy address:
  0x0c047fff8ea0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8eb0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8ec0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8ed0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8ee0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8ef0: fa fa fd fd fa fa[04]fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f00: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f10: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f20: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f30: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
  0x0c047fff8f40: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==12028==ABORTING

#4 Updated by Robin Mills 4 months ago

  • Category changed from not-a-bug to miscellaneous
  • % Done changed from 100 to 20
  • Estimated time changed from 1.00 to 5.00

Thanks for providing a lot more information about this issue. I'm on vacation at the moment and will investigate when I get home next week.

#5 Updated by Jacopo Guderzo 4 months ago

The function PentaxMakerNote::printShutterCount [pentaxmn.cpp#L1168] is missing a null check for the parameter ExifData* metadata.

Gwenview uses operator<<(std::ostream& os, const Metadatum& md) to get metadata values, and with this operator the pointer is always null.

#6 Updated by Robin Mills 4 months ago

Are you saying that the fix is:

    std::ostream& PentaxMakerNote::printShutterCount(std::ostream& os, const Value& value, const ExifData* metadata)
    {
        if ( ! metadata ) return os;

        ExifData::const_iterator dateIt = metadata->findKey(
                ExifKey("Exif.PentaxDng.Date"));
        ...
   }

#7 Updated by Jacopo Guderzo 4 months ago

I don't know whether it's better to return the untouched stream, to put "undefined" or to put the raw value without decoding it, but basically yes, that's the fix.

#8 Updated by Robin Mills 4 months ago

  • % Done changed from 20 to 80
  • Estimated time changed from 5.00 to 2.00

Right. Thank You very much for working on this and discovering the “core” of the issue. I think you are correct, we should do something like return os << “undefined”;.

I hope to submit the fix today.

Thanks again for your help.

#9 Updated by Robin Mills 2 months ago

  • % Done changed from 80 to 100
  • Estimated time changed from 2.00 to 8.00

Fix submitted to https://github.com/Exiv2/exiv2 5405d61

#10 Updated by Robin Mills 2 months ago

  • Status changed from Assigned to Closed

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux