Project

General

Profile

Bug #1104

« Previous | 25 of 25 | Next »

Buffer overflow in Exiv2::RiffVideo::dateTimeOriginal

Added by Jakub Wilk over 6 years ago. Updated over 5 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Robin Mills
Category:
video
Target version:
1.0
Start date:
10 Aug 2015
Due date:
% Done:

10%

Estimated time:
30.00 h

Description

Tested with svn r3885:

$ exiv2 pr crash.riff 
*** Error in `exiv2': malloc(): memory corruption: 0x0000000000ed6aa0 ***
Aborted

Valgrind says it's a buffer overflow in Exiv2::RiffVideo::dateTimeOriginal:

==25760== Invalid write of size 8
==25760==    at 0x5DE490B: __GI_mempcpy (memcpy.S:272)
==25760==    by 0x5DD373D: _IO_file_xsgetn (fileops.c:1388)
==25760==    by 0x5DC954E: fread (iofread.c:42)
==25760==    by 0x51E4707: Exiv2::RiffVideo::dateTimeOriginal(long, int) (in /usr/local/lib/libexiv2.so.14.0.0)
==25760==    by 0x51EA894: Exiv2::RiffVideo::decodeBlock() (in /usr/local/lib/libexiv2.so.14.0.0)
==25760==    by 0x51EAC27: Exiv2::RiffVideo::readMetadata() (in /usr/local/lib/libexiv2.so.14.0.0)
==25760==    by 0x41A87C: Action::Print::printSummary() (in /usr/local/bin/exiv2)
==25760==    by 0x41D4C7: Action::Print::run(std::string const&) (in /usr/local/bin/exiv2)
==25760==    by 0x405D5D: main (in /usr/local/bin/exiv2)

This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/

Files

crash.riff (1.11 KB) crash.riff Jakub Wilk, 10 Aug 2015 12:47

Related issues

Related to Exiv2 - Feature #1028: Add GSoC13 video-write codeClosed01 Feb 2015

Actions
Related to Exiv2 - Bug #1068: Video Code UmbrellaClosed26 Apr 2015

Actions

History

#1

Updated by Jakub Wilk over 6 years ago

In https://bugs.debian.org/781123#8, Vasyl Kaigorodov wrote:

Just my 2c here - quickly looking at Valgrind backtrace, and the code -
looks like the issue is that with attached crafted .riff file RiffVideo::tagDecoder() gets "unsigned long" as
its' 2nd argument, which is then passed further to RiffVideo::dateTimeOriginal() as "long".
I'm not a CPP guru, but other functions there might suffer from the same issue:

junkHandler
aviHeaderTagsHandler
streamHandler
streamDataTagHandler

#2

Updated by Jakub Wilk over 6 years ago

Of course I forgot the attachment. :)

#3

Updated by Thomas Beutlich over 6 years ago

To answer your question on from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781123 : video support of exiv2 v0.25 was not accidentally disabled but by purpose for the very reason of bugs like this one.

#4

Updated by Robin Mills about 6 years ago

  • Category set to video
  • Status changed from New to Assigned
  • Assignee set to Robin Mills
  • Target version set to 0.26
#5

Updated by Robin Mills about 6 years ago

  • % Done changed from 0 to 10
  • Estimated time set to 30.00 h

I suspect there is rather a lot of effort required here to test for buffer overflows in the video code.

#6

Updated by Robin Mills over 5 years ago

  • Target version changed from 0.26 to 1.0

This is being deferred for v0.26. I hope refactoring the video code will be the headline feature of v0.27.

Also available in: Atom PDF