Bug #1340

Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure()

Added by Sanjay Rawat 8 months ago. Updated about 1 month ago.

Status:ClosedStart date:03 Apr 2018
Priority:NormalDue date:
Assignee:Robin Mills% Done:

100%

Category:metadataEstimated time:2.00 hours
Target version:0.27

Description

Hi,
I have found few infinite loop bugs in the libexiv2 (0.26 001a00) with the following commandline:
exiv2 POC.
With GDB, follwing is the output:
@
(gdb) bt
#0 0x00007ffff6ee2360 in _read_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff6e6d5b0 in _IO_new_file_underflow (fp=0x6376a0) at fileops.c:613
#2 0x00007ffff6e6c3a8 in __GI
_IO_file_xsgetn (fp=0x6376a0,
data=<optimized out>, n=4) at fileops.c:1418
#3 0x00007ffff6e6186f in _GI_IO_fread (buf=<optimized out>, size=1,
count=4, fp=0x6376a0) at iofread.c:42
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
#5 0x00007ffff77dc178 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) ()
from /usr/local/lib/libexiv2.so.26
#6 0x00007ffff784db13 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) () from /usr/local/lib/libexiv2.so.26
#7 0x00007ffff784d586 in Exiv2::TiffImage::readMetadata() ()
from /usr/local/lib/libexiv2.so.26
#8 0x000000000041bdfd in Action::Print::printSummary() ()
#9 0x000000000041e1a8 in Action::Print::run(std::string const&) ()
#10 0x0000000000406bba in main ()
(gdb) f 4
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
(gdb) list
76 in ../sysdeps/unix/syscall-template.S

@

From this appear that the problem in is Exiv2::Image::printIFDStructure(). I have attached two inputs as POC that exhibit the behavior.
Thanks & Regards

exiv2-hangs.tar.gz - POC inputs (7.16 KB) Sanjay Rawat, 03 Apr 2018 08:57

History

#1 Updated by Robin Mills 8 months ago

  • Category set to metadata
  • Status changed from New to Assigned
  • Assignee set to Robin Mills
  • Target version set to 0.27
  • % Done changed from 0 to 30
  • Estimated time set to 2.00

Thanks for reporting this. I've reproduced this on 'master'. There is a known fix for this: http://dev.exiv2.org/boards/3/topics/3080

The work to push this fix into 'master' is PR#180 https://github.com/Exiv2/exiv2/pull/180 I'm not sure why integrating PR#180 has been delayed, however it is most certainly in progress.

Because I don't anticipate new/unanticipated work to deal with this, I will leave this issue open to ensure that we test your files when PR#180 is completed. I believe we'll add your files our test suite at that time.

#2 Updated by Sanjay Rawat 8 months ago

Thank you Robin for looking into this.
regards
-sanjay

#3 Updated by Robin Mills 2 months ago

  • Subject changed from Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure() to Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure()

#4 Updated by Robin Mills about 1 month ago

  • Status changed from Assigned to Closed
  • % Done changed from 30 to 100

Fixed in master and should be included in Exiv2 v0.27 RC2 on 15 November 2018 http://exiv2.dyndns.org

553 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $ bin/exiv2 -pR ~/Downloads/*.exi
STRUCTURE OF TIFF FILE (MM): /Users/rmills/Downloads/extraint-1386.exi
 address |    tag                              |      type |    count |    offset | value
    4618 | 0x00fe NewSubfileType               |      LONG |        1 |           | 0
    4630 | 0x0100 ImageWidth                   |      LONG |        1 |           | 160
    4642 | 0x0101 ImageLength                  |      LONG |        1 |           | 160
    4654 | 0x0102 BitsPerSample                |     SHORT |        3 |      4934 | 8 8 8
    4666 | 0x0103 Compression                  |     SHORT |        1 |           | 6
    4678 | 0x0106 PhotometricInterpretation    |     SHORT |        1 |           | 6
    4690 | 0x0111 StripOffsets                 |      LONG |        1 |           | 610
    4702 | 0x0115 SamplesPerPixel              |     SHORT |        1 |           | 3
    4714 | 0x0116 RowsPerStrip                 |      LONG |        1 |           | 160
    4726 | 0x0117 StripByteCounts              |      LONG |        1 |           | 3447
    4738 | 0x011a XResolution                  |  RATIONAL |        1 |      4940 | 200/2
    4750 | 0x011b YResolution                  |  RATIONAL |        1 |      4948 | 200/2
    4762 | 0x011c PlanarConfiguration          |     SHORT |        1 |           | 1
    4774 | 0x0128 ResolutionUnit               |     SHORT |        1 |           | 2
    4786 | 0x0131 Software                     |     ASCII |       11 |      4956 | HP IL v1.1
    4798 | 0x0200 JPEGProc                     |     SHORT |        1 |           | 1
    4810 | 0x0201 JPEGInterchangeFormat        |      LONG |        1 |           | 8
    4822 | 0x0202 JPEGInterchangeFormatLength  |      LONG |        1 |           | 4608
    4834 | 0x0203 JPEGRestartInterval          |     SHORT |        1 |           | 0
    4846 | 0x0207 JPEGQTables                  |      LONG |        3 |      4968 | 34 103 103
    4858 | 0x0208 JPEGDCTables                 |      LONG |        3 |      4980 | 172 205 205
    4870 | 0x0209 JPEGACTables                 |      LONG |        3 |      4992 | 238 421 421
    4882 | 0x0211 YCbCrCoefficients            |  RATIONAL |        3 |      5004 | 2990/10000 5870/10000 1140/10000
    4894 | 0x0212 YCbCrSubSampling             |     SHORT |        2 |           | 2 2
    4906 | 0x0213 YCbCrPositioning             |     SHORT |        1 |           | 1
    4918 | 0x0214 ReferenceBlackWhite          |      LONG |        6 |      5028 | 0 255 128 255 128 ...
Exiv2 exception in print action for file /Users/rmills/Downloads/extraint-1386.exi:
corrupted image metadata
STRUCTURE OF TIFF FILE (II): /Users/rmills/Downloads/new-252-g125.exi
Exiv2 exception in print action for file /Users/rmills/Downloads/new-252-g125.exi:
corrupted image metadata
554 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $ 

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux