Project

General

Profile

Bug #1296

Segmentation fault in convert-test

Added by CH R almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
samples
Target version:
Start date:
25 May 2017
Due date:
% Done:

100%

Estimated time:
2.00 h

Description

When the data structure of the structure ifd is incorrect, the program assigns pValue_ to 0x0, and the value of pValue () is 0x0. TiffImageEntry :: doWriteImage will use the value of pValue () to cause Segmentation fault

ASAN:SIGSEGV =================================================================
11348ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f440c6fa8c8 sp 0x7ffd88d08360 bp 0x7ffd88d08950 T0)
11348WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7f440c6fa8c7 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x9328c7)
#1 0x7f440c6ead13 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x922d13)
#2 0x7f440c6f9303 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x931303)
#3 0x7f440c6ead13 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x922d13)
#4 0x7f440c6e8507 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x920507)
#5 0x7f440c6e45fa (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x91c5fa)
#6 0x7f440c766014 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x99e014)
#7 0x7f440c7622d8 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x99a2d8)
#8 0x7f440c761278 (/home/lolopop/projects/exiv2/build-clang/exiv2/src/libexiv2.so.26+0x999278)
#9 0x47d99d (/home/lolopop/projects/exiv2/build-clang/exiv2/bin/convert-test+0x47d99d)
#10 0x7f440a9adf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x47cc0c (/home/lolopop/projects/exiv2/build-clang/exiv2/bin/convert-test+0x47cc0c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
11348ABORTING


Files

report.zip (479 KB) report.zip vulnerability analysis report CH R, 25 May 2017 02:50
crash161 (459 Bytes) crash161 CH R, 25 May 2017 06:42
report.pdf (499 KB) report.pdf CH R, 25 May 2017 06:44

History

#1

Updated by Robin Mills almost 2 years ago

  • Category set to samples
  • Status changed from New to Assigned
  • Target version set to 0.28

Is this issue the same as #1295? Can you provide your test file please? No evidence of an issue with a good file:

511 rmills@rmillsmbp:~/gnu/git/exiv2 $ bin/convert-test test/data/Reagan.tiff 
512 rmills@rmillsmbp:~/gnu/git/exiv2 $ 

#2

Updated by CH R almost 2 years ago

Robin Mills wrote:

Is this issue the same as #1295? Can you provide your test file please? No evidence of an issue with a good file: [...]

oh sorry,I submitted it twice. I have attached the test file and vulnerability analysis, but I do not know why I have no way to download. The crash161 file is the test file.

#3

Updated by CH R almost 2 years ago

analysis

#4

Updated by Robin Mills almost 2 years ago

Thanks for the test file and report. I've reproduced this and fix this it the weekend. samples/convert-test.cpp is a sample application and used by our test suite. So this doesn't feel serious to me. However I'll fix it. Crashes are never good, even in our test harness.

512 rmills@rmillsmbp:~/gnu/git/exiv2 $ exiv2 -pR ~/Downloads/crash161 
STRUCTURE OF TIFF FILE (II): /Users/rmills/Downloads/crash161
 address |    tag                           |      type |    count |    offset | value
     100 | 0x0100 ImageWidth                |     SHORT |        1 |        32 | 32
     112 | 0x0111 StripOffsets              |     SHORT |        1 |        32 | 32
     124 | 0x0102 BitsPerSample             |     SHORT |        1 |         4 | 4
     136 | 0x0103 Compression               |     SHORT |        1 |         8 | 8
     148 | 0x0106 PhotometricInterpretation |     SHORT |        1 |         3 | 3
     160 | 0x010a FillOrder                 |     SHORT |        1 |         1 | 1
     172 | 0x010d DocumentName              |     ASCII |       15 |       320 | ...`.......not_
     184 | 0x0111 StripOffsets              |      LONG |        1 |         8 | 8
     196 | 0x0112 Orientation               |     SHORT |        1 |         1 | 1
     208 | 0x0115 SamplesPerPixel           |     SHORT |        1 |         1 | 1
     220 | 0x0116 RowsPerStrip              |     SHORT |        1 |         3 | 3
     232 | 0x0117 StripByteCounts           |      LONG |        1 |        89 | 89
     244 | 0x011a XResolution               |  RATIONAL |       15 |       320 |   ...
invalid type value detected in Image::printIFDStructure:  256
END /Users/rmills/Downloads/crash161
513 rmills@rmillsmbp:~/gnu/git/exiv2 $ convert-test ~/Downloads/crash161 
invalid type value detected in Image::printIFDStructure:  256
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0111 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0111 has invalid size 1342177280*1; skipping entry.
Warning: Directory Image, entry 0x0111: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0x0501 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0501 has invalid size 1476395008*1; skipping entry.
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x28000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x29000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 512; setting type size 1.
Error: Directory Image: Next pointer is out of bounds; ignored.
Warning: Directory Image, entry 0x0111 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0111 has invalid size 1342177280*1; skipping entry.
Warning: Directory Image, entry 0x0111: Size or data offset value not set, ignoring them.
Warning: Directory Image, entry 0x0501 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Directory Image, entry 0x0501 has invalid size 1476395008*1; skipping entry.
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x28000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 256; setting type size 1.
Error: Offset of directory Image, entry 0x0301 is out of bounds: Offset = 0x29000000; truncating the entry
Warning: Directory Image, entry 0x0301 has unknown Exif (TIFF) type 512; setting type size 1.
Segmentation fault: 11
514 rmills@rmillsmbp:~/gnu/git/exiv2 $ 

#5

Updated by Robin Mills almost 2 years ago

  • % Done changed from 0 to 20
  • Estimated time set to 2.00 h
#6

Updated by Robin Mills almost 2 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 20 to 100

Fix submitted: 2f8681e

Also available in: Atom PDF