Buffer overflow in Exiv2::RiffVideo::dateTimeOriginal
Tested with svn r3885:
$ exiv2 pr crash.riff *** Error in `exiv2': malloc(): memory corruption: 0x0000000000ed6aa0 *** Aborted
Valgrind says it's a buffer overflow in
==25760== Invalid write of size 8 ==25760== at 0x5DE490B: __GI_mempcpy (memcpy.S:272) ==25760== by 0x5DD373D: _IO_file_xsgetn (fileops.c:1388) ==25760== by 0x5DC954E: fread (iofread.c:42) ==25760== by 0x51E4707: Exiv2::RiffVideo::dateTimeOriginal(long, int) (in /usr/local/lib/libexiv2.so.14.0.0) ==25760== by 0x51EA894: Exiv2::RiffVideo::decodeBlock() (in /usr/local/lib/libexiv2.so.14.0.0) ==25760== by 0x51EAC27: Exiv2::RiffVideo::readMetadata() (in /usr/local/lib/libexiv2.so.14.0.0) ==25760== by 0x41A87C: Action::Print::printSummary() (in /usr/local/bin/exiv2) ==25760== by 0x41D4C7: Action::Print::run(std::string const&) (in /usr/local/bin/exiv2) ==25760== by 0x405D5D: main (in /usr/local/bin/exiv2)
This bug was found using American fuzzy lop:
Updated by Jakub Wilk about 6 years ago
In https://bugs.debian.org/781123#8, Vasyl Kaigorodov wrote:
Just my 2c here - quickly looking at Valgrind backtrace, and the code -
looks like the issue is that with attached crafted .riff file RiffVideo::tagDecoder() gets "unsigned long" as
its' 2nd argument, which is then passed further to RiffVideo::dateTimeOriginal() as "long".
I'm not a CPP guru, but other functions there might suffer from the same issue:
Updated by Thomas Beutlich about 6 years ago
To answer your question on from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781123 : video support of exiv2 v0.25 was not accidentally disabled but by purpose for the very reason of bugs like this one.