Bug #1353

Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished

Added by chung-yi lin 5 months ago. Updated 5 months ago.

Status:ClosedStart date:22 May 2018
Priority:NormalDue date:
Assignee:Robin Mills% Done:

100%

Category:image formatEstimated time:1.00 hour
Target version:0.27

Description

Triggered by ./exiv2 -pR POC

Description of problem:

Version-Release number of selected component (if applicable):

0.26

How reproducible:

./exiv2 -pR POC

Steps to Reproduce:

The output information is as follows:
$ ./exiv2 -pR POC
STRUCTURE OF PNG FILE: POC
address | chunk | length | data | checksum
8 | IHDR | 13 | ... ... .... | 0x44a48ac6
33 | QEXt | 25 | Software.Adobe ImageReady | 0x71c9653c
70 | PL | 15 | ..... ... .... | 0x44a48ac6
97 | tEXt | 25 | Software.Adobe IpHYsReady | 0x71c9653c
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args -pR POC
(gdb) r
STRUCTURE OF PNG FILE: POC
address | chunk | length | data | checksum
8 | IHDR | 13 | ... ... .... | 0x44a48ac6
33 | QEXt | 25 | Software.Adobe ImageReady | 0x71c9653c
70 | PL | 15 | ..... ... .... | 0x44a48ac6
97 | tEXt | 25 | Software.Adobe IpHYsReady | 0x71c9653c

Program received signal SIGSEGV, Segmentation fault.
0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a " ")
at pngimage.cpp:164

164 if ( value[p[i]] )
(gdb) bt
#0 0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a " ")
at pngimage.cpp:164
#1 Exiv2::PngImage::printStructure (this=0xec0aa0, out=..., option=Exiv2::kpsRecursive, depth=0)
at pngimage.cpp:306
#2 0x000000000046bdc5 in Action::Print::printStructure (this=this@entry=0xec1bd0, out=...,
option=option@entry=Exiv2::kpsRecursive) at actions.cpp:283
#3 0x0000000000486d52 in Action::Print::run (this=0xec1bd0, path="POC") at actions.cpp:247
#4 0x000000000040772d in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:166

(gdb) list
159 // header is \nsomething\n number\n hex
160 while ( count < 3 )
161 if ( *p++ == '\n' )
162 count++;
163 for ( long i = 0 ; i < length ; i++ ){
164 if ( value[p[i]] )
165 ++count;
166 }
167 result.alloc((count+1)/2) ;
168

(gdb) info all-registers
rax 0x69 105
rbx 0xec13f0 15471600
rcx 0x1d3c7 119751
rdx 0x0 0
rsi 0x0 0
rdi 0x69 105
rbp 0xec1c36 0xec1c36
rsp 0x7fffffffe070 0x7fffffffe070
r8 0x69 105
r9 0x0 0
r10 0xffffffffffffffff -1
r11 0x0 0
r12 0x7fffffffe230 140737488347696
r13 0xec0aa0 15469216
r14 0xffffffff 4294967295
r15 0xec0c60 15469664
rip 0x8031f9 0x8031f9 <Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)+16057>
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]

POC (266 Bytes) chung-yi lin, 22 May 2018 05:53

History

#1 Updated by Robin Mills 5 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Estimated time set to 1.00

We will not accept bug reports which use the option -pR. That option is provided for debugging only. In v0.27, it will only be provided on builds with the DEBUG flag. And even then, we will not accept bug reports about it. Exiv2 is a library. The command-line program exiv2(.exe) is a test harness and should never be deployed for production purposes.

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux