Bug #1340

Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure()

Added by Sanjay Rawat 3 months ago. Updated 2 months ago.

Status:AssignedStart date:03 Apr 2018
Priority:NormalDue date:
Assignee:Robin Mills% Done:

30%

Category:metadataEstimated time:2.00 hours
Target version:0.27

Description

Hi,
I have found few infinite loop bugs in the libexiv2 (0.26 001a00) with the following commandline:
exiv2 POC.
With GDB, follwing is the output:
@
(gdb) bt
#0 0x00007ffff6ee2360 in _read_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff6e6d5b0 in _IO_new_file_underflow (fp=0x6376a0) at fileops.c:613
#2 0x00007ffff6e6c3a8 in __GI
_IO_file_xsgetn (fp=0x6376a0,
data=<optimized out>, n=4) at fileops.c:1418
#3 0x00007ffff6e6186f in _GI_IO_fread (buf=<optimized out>, size=1,
count=4, fp=0x6376a0) at iofread.c:42
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
#5 0x00007ffff77dc178 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) ()
from /usr/local/lib/libexiv2.so.26
#6 0x00007ffff784db13 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) () from /usr/local/lib/libexiv2.so.26
#7 0x00007ffff784d586 in Exiv2::TiffImage::readMetadata() ()
from /usr/local/lib/libexiv2.so.26
#8 0x000000000041bdfd in Action::Print::printSummary() ()
#9 0x000000000041e1a8 in Action::Print::run(std::string const&) ()
#10 0x0000000000406bba in main ()
(gdb) f 4
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
(gdb) list
76 in ../sysdeps/unix/syscall-template.S

@

From this appear that the problem in is Exiv2::Image::printIFDStructure(). I have attached two inputs as POC that exhibit the behavior.
Thanks & Regards

exiv2-hangs.tar.gz - POC inputs (7.16 KB) Sanjay Rawat, 03 Apr 2018 08:57

History

#1 Updated by Robin Mills 3 months ago

  • Category set to metadata
  • Status changed from New to Assigned
  • Assignee set to Robin Mills
  • Target version set to 0.27
  • % Done changed from 0 to 30
  • Estimated time set to 2.00

Thanks for reporting this. I've reproduced this on 'master'. There is a known fix for this: http://dev.exiv2.org/boards/3/topics/3080

The work to push this fix into 'master' is PR#180 https://github.com/Exiv2/exiv2/pull/180 I'm not sure why integrating PR#180 has been delayed, however it is most certainly in progress.

Because I don't anticipate new/unanticipated work to deal with this, I will leave this issue open to ensure that we test your files when PR#180 is completed. I believe we'll add your files our test suite at that time.

#2 Updated by Sanjay Rawat 2 months ago

Thank you Robin for looking into this.
regards
-sanjay

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux