Bug #1296
Segmentation fault in convert-test
100%
Description
When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue () is 0x0. TiffImageEntry :: doWriteImage will use the value of pValue () to cause Segmentation fault
ASAN:SIGSEGV
=================================================================
11348ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f440c6fa8c8 sp 0x7ffd88d08360 bp 0x7ffd88d08950 T0)
11348WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7f440c6fa8c7 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x9328c7)
#1 0x7f440c6ead13 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x922d13)
#2 0x7f440c6f9303 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x931303)
#3 0x7f440c6ead13 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x922d13)
#4 0x7f440c6e8507 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x920507)
#5 0x7f440c6e45fa (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x91c5fa)
#6 0x7f440c766014 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x99e014)
#7 0x7f440c7622d8 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x99a2d8)
#8 0x7f440c761278 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x999278)
#9 0x47d99d (/home/lolopop/projects/exiv2/build-clang/exiv2/bin/convert-test+0x47d99d)
#10 0x7f440a9adf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x47cc0c (/home/lolopop/projects/exiv2/build-clang/exiv2/bin/convert-test+0x47cc0c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
11348ABORTING
Files
History
Updated by Robin Mills over 4 years ago
- Category set to samples
- Status changed from New to Assigned
- Target version set to 0.28
Is this issue the same as #1295? Can you provide your test file please? No evidence of an issue with a good file:
511 rmills@rmillsmbp:~/gnu/git/exiv2 $ bin/convert-test test/data/Reagan.tiff 512 rmills@rmillsmbp:~/gnu/git/exiv2 $
Updated by CH R over 4 years ago
Robin Mills wrote:
Is this issue the same as #1295? Can you provide your test file please? No evidence of an issue with a good file: [...]
oh sorry,I submitted it twice. I have attached the test file and vulnerability analysis, but I do not know why I have no way to download. The crash161 file is the test file.
Updated by Robin Mills over 4 years ago
Thanks for the test file and report. I've reproduced this and fix this it the weekend. samples/convert-test.cpp is a sample application and used by our test suite. So this doesn't feel serious to me. However I'll fix it. Crashes are never good, even in our test harness.
512 rmills@rmillsmbp:~/gnu/git/exiv2 $ exiv2 -pR ~/Downloads/crash161
STRUCTURE OF TIFF FILE (II): /Users/rmills/Downloads/crash161
address | tag | type | count | offset | value
100 | 0x0100 ImageWidth | SHORT | 1 | 32 | 32
112 | 0x0111 StripOffsets | SHORT | 1 | 32 | 32
124 | 0x0102 BitsPerSample | SHORT | 1 | 4 | 4
136 | 0x0103 Compression | SHORT | 1 | 8 | 8
148 | 0x0106 PhotometricInterpretation | SHORT | 1 | 3 | 3
160 | 0x010a FillOrder | SHORT | 1 | 1 | 1
172 | 0x010d DocumentName | ASCII | 15 | 320 | ...`.......not_
184 | 0x0111 StripOffsets | LONG | 1 | 8 | 8
196 | 0x0112 Orientation | SHORT | 1 | 1 | 1
208 | 0x0115 SamplesPerPixel | SHORT | 1 | 1 | 1
220 | 0x0116 RowsPerStrip | SHORT | 1 | 3 | 3
232 | 0x0117 StripByteCounts | LONG | 1 | 89 | 89
244 | 0x011a XResolution | RATIONAL | 15 | 320 | ...
invalid type value detected in Image::printIFDStructure: 256
END /Users/rmills/Downloads/crash161
513 rmills@rmillsmbp:~/gnu/git/exiv2 $ convert-test ~/Downloads/crash161
invalid type value detected in Image::printIFDStructure: 256
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0111 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0111 has invalid size 1342177280*1; skipping entry.
Warning: Directory Image, entry 0x0111: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0x0501 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0501 has invalid size 1476395008*1; skipping entry.
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x28000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x29000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 512; setting type size 1.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0111 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0111 has invalid size 1342177280*1; skipping entry.
Warning: Directory Image, entry 0x0111: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0x0501 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0501 has invalid size 1476395008*1; skipping entry.
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x28000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x29000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 512; setting type size 1.
Segmentation fault: 11
514 rmills@rmillsmbp:~/gnu/git/exiv2 $ Updated by Robin Mills over 4 years ago
- Status changed from Assigned to Closed
- % Done changed from 20 to 100
Fix submitted: 2f8681e