Bug #1305
Segmentation fault on certain image
100%
Description
Originally discovered in Gwenview wich uses libexiv2 https://bugs.kde.org/show_bug.cgi?id=382842
The problematic image attached.
libexiv2 0.26 openSUSE Tumbleweed 64 bit
Thread 1 "gwenview" received signal SIGSEGV, Segmentation fault.
0x00007ffff180fb5f in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /usr/lib64/libexiv2.so.26
(gdb) bt
#0 0x00007ffff180fb5f in Exiv2::ExifData::findKey(Exiv2::ExifKey const&) const () from /usr/lib64/libexiv2.so.26
#1 0x00007ffff18556a1 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) ()
from /usr/lib64/libexiv2.so.26
#2 0x00007ffff746c0cf in ?? () from /usr/lib64/libgwenviewlib.so.5
#3 0x00007ffff7468b89 in Gwenview::ImageMetaInfoModel::setExiv2Image(Exiv2::Image const*) () from /usr/lib64/libgwenviewlib.so.5
#4 0x00007ffff74207b7 in Gwenview::Document::setExiv2Image(std::auto_ptr<Exiv2::Image>) () from /usr/lib64/libgwenviewlib.so.5
#5 0x00007ffff741f7d1 in ?? () from /usr/lib64/libgwenviewlib.so.5
#6 0x00007ffff742fa11 in ?? () from /usr/lib64/libgwenviewlib.so.5
#7 0x00007ffff3a7645a in QMetaObject::activate(QObject*, int, int, void**) () from /usr/lib64/libQt5Core.so.5
#8 0x00007ffff3873103 in QFutureWatcherBase::event(QEvent*) () from /usr/lib64/libQt5Core.so.5
#9 0x00007ffff4f0a93c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/lib64/libQt5Widgets.so.5
#10 0x00007ffff4f11cb4 in QApplication::notify(QObject*, QEvent*) () from /usr/lib64/libQt5Widgets.so.5
#11 0x00007ffff3a48f28 in QCoreApplication::notifyInternal2(QObject*, QEvent*) () from /usr/lib64/libQt5Core.so.5
#12 0x00007ffff3a4b515 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/lib64/libQt5Core.so.5
#13 0x00007ffff3a9f373 in postEventSourceDispatch(_GSource*, int ()(void), void*) () from /usr/lib64/libQt5Core.so.5
#14 0x00007fffec763b57 in g_main_context_dispatch () from /usr/lib64/libglib-2.0.so.0
#15 0x00007fffec763d88 in ?? () from /usr/lib64/libglib-2.0.so.0
#16 0x00007fffec763e1c in g_main_context_iteration () from /usr/lib64/libglib-2.0.so.0
#17 0x00007ffff3a9e9ef in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#18 0x00007ffff3a4753a in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib64/libQt5Core.so.5
#19 0x00007ffff3a4fdc4 in QCoreApplication::exec() () from /usr/lib64/libQt5Core.so.5
#20 0x0000555555588189 in ?? ()
#21 0x00007ffff30bc46a in __libc_start_main () from /lib64/libc.so.6
#22 0x000055555558854a in _start ()
Files
History
Updated by Robin Mills over 4 years ago
- Category set to not-a-bug
- Status changed from New to Assigned
- Assignee set to Robin Mills
- Target version set to 0.27
- % Done changed from 0 to 100
- Estimated time set to 1.00 h
I can't reproduce this with the exiv2(.exe) command line program on MacOS-X.
506 rmills@rmillsmbp:~/gnu/exiv2/0.26 $ exiv2 -pa ~/Downloads/IMGP0006.JPG Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it. Error: XMP Toolkit error 203: Duplicate property or field node Warning: Failed to decode XMP metadata. Exif.Image.Make Ascii 19 PENTAX Corporation Exif.Image.Model Ascii 17 PENTAX Optio M50 ... Exif.Thumbnail.XResolution Rational 1 72 Exif.Thumbnail.YResolution Rational 1 72 Exif.Thumbnail.ResolutionUnit Short 1 inch Exif.Thumbnail.JPEGInterchangeFormat Long 1 5520 Exif.Thumbnail.JPEGInterchangeFormatLength Long 1 7564 507 rmills@rmillsmbp:~/gnu/exiv2/0.26 $
Updated by Henri Salo over 4 years ago
- File IMGP0006-min.jpg IMGP0006-min.jpg added
With version 0.26 from http://exiv2.org/builds/exiv2-0.26-trunk.tar.gz
Build with: DFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -ggdb -fno-omit-frame-pointer" ./configure --enable-video --enable-webready
This file causes heap buffer overflow when executed using flag -pa. Without -pa flag no heap buffer overflow is detected.
258d54d0745e9958eb803da602cc45363f06dd3b7e37268f1dd18c1e20fdd860 IMGP0006.JPG
c3f8acd2496fc8f80ad6f730e363eb6ddfffe77353d31440047a0ee768069c2b IMGP0006-min.jpg
I have attached minimized sample file (using afl-2.49b/afl-tmin).
ASAn output is below:
afl@haiven2:~/exiv2-crashes$ ~/builds/exiv2/0.26-afl-asan/bin/exiv2 -pa IMGP0006.JPG
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
Exif.Image.Make Ascii 19 PENTAX Corporation
Exif.Image.Model Ascii 17 PENTAX Optio M50
Exif.Image.Orientation Short 1 top, left
Exif.Image.XResolution Rational 1 72
Exif.Image.YResolution Rational 1 72
Exif.Image.ResolutionUnit Short 1 inch
Exif.Image.Software Ascii 12 GIMP 2.8.22
Exif.Image.DateTime Ascii 20 2017:07:27 20:49:15
Exif.Image.YCbCrPositioning Short 1 Co-sited
Exif.Image.ExifTag Long 1 582
Exif.Photo.ExposureTime Rational 1 1/25 s
Exif.Photo.FNumber Rational 1 F3.5
Exif.Photo.ISOSpeedRatings Short 1 800
Exif.Photo.ExifVersion Undefined 4 2.20
Exif.Photo.DateTimeOriginal Ascii 20 2008:01:01 00:00:45
Exif.Photo.DateTimeDigitized Ascii 20 2008:01:01 00:00:45
Exif.Photo.ComponentsConfiguration Undefined 4 YCbCr
Exif.Photo.CompressedBitsPerPixel Rational 1 1
Exif.Photo.ExposureBiasValue SRational 1 0 EV
Exif.Photo.MaxApertureValue Rational 1 F3.5
Exif.Photo.MeteringMode Short 1 Multi-segment
Exif.Photo.Flash Short 1 No, compulsory
Exif.Photo.FocalLength Rational 1 6.3 mm
Exif.Photo.MakerNote Undefined 4364 (Binary value suppressed)
Exif.MakerNote.Offset Long 1 1024
Exif.MakerNote.ByteOrder Ascii 3 II
Exif.Pentax.Version Byte 4 4.2.0.0
Exif.Pentax.Mode Short 1 Manual
Exif.Pentax.PreviewResolution Short 2 640x480
Exif.Pentax.PreviewLength Long 1 38648
Exif.Pentax.PreviewOffset Long 1 15933
Exif.Pentax.ModelID Long 1 Optio M50
Exif.Pentax.Date Undefined 4 2008:01:01
Exif.Pentax.Time Undefined 3 00:00:45
Exif.Pentax.Quality Short 1 Better
Exif.Pentax.Size Short 1 3264x2448
Exif.Pentax.Flash Short 1 Off, Did not fire
Exif.Pentax.Focus Short 1 Macro
Exif.Pentax.AFPoint Short 1 Auto
Exif.Pentax.AFPointInFocus Short 1 Top-left
Exif.Pentax.ExposureTime Long 1 38.97 ms
Exif.Pentax.FNumber Short 1 F3.5
Exif.Pentax.ISO Short 1 800
Exif.Pentax.ExposureCompensation Short 1 0 EV
Exif.Pentax.MeteringMode Short 1 Multi Segment
Exif.Pentax.WhiteBalance Short 1 Auto
Exif.Pentax.WhiteBalanceMode Short 1 Auto (Flash)
Exif.Pentax.BlueBalance Short 1 469
Exif.Pentax.RedBalance Short 1 401
Exif.Pentax.FocalLength Long 1 6.3 mm
Exif.Pentax.DigitalZoom Short 1 100
Exif.Pentax.Saturation Short 1 Normal
Exif.Pentax.Contrast Short 1 Normal
Exif.Pentax.Sharpness Short 1 Normal
Exif.Pentax.Location Short 1 Home town
Exif.Pentax.Hometown Short 1 New York
Exif.Pentax.Destination Short 1 New York
Exif.Pentax.HometownDST Short 1 No
Exif.Pentax.DestinationDST Short 1 No
Exif.Pentax.DSPFirmwareVersion Undefined 4 254 255 255 255
Exif.Pentax.ImageProcessing Undefined 4 Unprocessed
Exif.Pentax.DigitalFilter Short 1 Off
=================================================================
12028ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000077b4 at pc 0x7fe2167a3708 bp 0x7ffcd49ceea0 sp 0x7ffcd49cee98
READ of size 4 at 0x6020000077b4 thread T0
#0 0x7fe2167a3707 in Exiv2::ValueType<unsigned int>::toLong(long) const ../include/exiv2/value.hpp:1659
#1 0x7fe2169d5b42 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) /home/afl/src/exiv2-trunk/src/pentaxmn.cpp:1193
#2 0x7fe21692bde7 in Exiv2::Metadatum::print(Exiv2::ExifData const*) const /home/afl/src/exiv2-trunk/src/metadatum.cpp:80
#3 0x46beaa in Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:757
#4 0x4721e6 in Action::Print::printMetadata(Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:549
#5 0x472e01 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:538
#6 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#7 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#8 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x408cd9 (/home/afl/builds/exiv2/0.26-afl-asan/bin/exiv2+0x408cd9)
0x6020000077b4 is located 0 bytes to the right of 4-byte region [0x6020000077b0,0x6020000077b4)
allocated by thread T0 here:
#0 0x7fe2178b5fff in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54fff)
#1 0x7fe2167a9efa in _gnu_cxx::new_allocator<unsigned int>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x7fe2167a9efa in __gnu_cxx::_alloc_traits<std::allocator<unsigned int> >::allocate(std::allocator<unsigned int>&, unsigned long) /usr/include/c++/4.9/ext/alloc_traits.h:182
#3 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#5 0x7fe2167a9efa in Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#6 0x7fe2167a9efa in vector /usr/include/c++/4.9/bits/stl_vector.h:320
#7 0x7fe2167a9efa in ValueType ../include/exiv2/value.hpp:1544
#8 0x7fe2167a9efa in Exiv2::ValueType<unsigned int>::clone() const ../include/exiv2/value.hpp:1632
#9 0x7fe21681abf4 in Exiv2::Value::clone() const ../include/exiv2/value.hpp:122
#10 0x7fe21681abf4 in Exiv2::Exifdatum::Exifdatum(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:221
#11 0x7fe21681cae3 in __gnu_cxx::new_allocator<Exiv2::Exifdatum>::construct(Exiv2::Exifdatum*, Exiv2::Exifdatum const&) /usr/include/c++/4.9/ext/new_allocator.h:130
#12 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_create_node(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:496
#13 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_insert(std::_List_iterator<Exiv2::Exifdatum>, Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1680
#14 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::push_back(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1029
#15 0x7fe21681cae3 in Exiv2::ExifData::add(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:577
#16 0x7fe21681cb8c in Exiv2::ExifData::add(Exiv2::ExifKey const&, Exiv2::Value const*) /home/afl/src/exiv2-trunk/src/exif.cpp:571
#17 0x7fe216b9f6c1 in Exiv2::Internal::TiffDecoder::decodeStdTiffEntry(Exiv2::Internal::TiffEntryBase const*) /home/afl/src/exiv2-trunk/src/tiffvisitor.cpp:488
#18 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#19 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#20 0x7fe216af7520 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#21 0x7fe216af7520 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:949
#22 0x7fe216af6821 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#23 0x7fe216af6821 in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:938
#24 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#25 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#26 0x7fe216af594d in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#27 0x7fe216af594d in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:931
#28 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#29 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#30 0x7fe216b5f20b in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*()(std::string const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const), Exiv2::Internal::TiffHeaderBase*) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:1907
#31 0x7fe216b5f20b in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:266
#32 0x7fe21681f83a in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/exif.cpp:629
#33 0x7fe2168ef0fc in Exiv2::JpegBase::readMetadata() /home/afl/src/exiv2-trunk/src/jpgimage.cpp:386
#34 0x472d11 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:530
#35 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#36 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#37 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../include/exiv2/value.hpp:1659 Exiv2::ValueType<unsigned int>::toLong(long) const
Shadow bytes around the buggy address:
0x0c047fff8ea0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8eb0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ec0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ed0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ee0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8ef0: fa fa fd fd fa fa04fa fa fa 00 00 fa fa fd fa
0x0c047fff8f00: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f10: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f20: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f30: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f40: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
12028ABORTING
Updated by Henri Salo over 4 years ago
- File IMGP0006-min.jpg IMGP0006-min.jpg added
With version 0.26 from http://exiv2.org/builds/exiv2-0.26-trunk.tar.gz
Build with: DFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address -ggdb -fno-omit-frame-pointer" ./configure --enable-video --enable-webready
This file causes heap buffer overflow when executed using flag -pa. Without -pa flag no heap buffer overflow is detected.
258d54d0745e9958eb803da602cc45363f06dd3b7e37268f1dd18c1e20fdd860 IMGP0006.JPG
c3f8acd2496fc8f80ad6f730e363eb6ddfffe77353d31440047a0ee768069c2b IMGP0006-min.jpg
I have attached minimized sample file (using afl-2.49b/afl-tmin).
ASAn output is below:
afl@haiven2:~/exiv2-crashes$ ~/builds/exiv2/0.26-afl-asan/bin/exiv2 -pa IMGP0006.JPG
Warning: Directory Pentax, entry 0x0004: Data area exceeds data buffer, ignoring it.
Error: XMP Toolkit error 203: Duplicate property or field node
Warning: Failed to decode XMP metadata.
Exif.Image.Make Ascii 19 PENTAX Corporation
Exif.Image.Model Ascii 17 PENTAX Optio M50
Exif.Image.Orientation Short 1 top, left
Exif.Image.XResolution Rational 1 72
Exif.Image.YResolution Rational 1 72
Exif.Image.ResolutionUnit Short 1 inch
Exif.Image.Software Ascii 12 GIMP 2.8.22
Exif.Image.DateTime Ascii 20 2017:07:27 20:49:15
Exif.Image.YCbCrPositioning Short 1 Co-sited
Exif.Image.ExifTag Long 1 582
Exif.Photo.ExposureTime Rational 1 1/25 s
Exif.Photo.FNumber Rational 1 F3.5
Exif.Photo.ISOSpeedRatings Short 1 800
Exif.Photo.ExifVersion Undefined 4 2.20
Exif.Photo.DateTimeOriginal Ascii 20 2008:01:01 00:00:45
Exif.Photo.DateTimeDigitized Ascii 20 2008:01:01 00:00:45
Exif.Photo.ComponentsConfiguration Undefined 4 YCbCr
Exif.Photo.CompressedBitsPerPixel Rational 1 1
Exif.Photo.ExposureBiasValue SRational 1 0 EV
Exif.Photo.MaxApertureValue Rational 1 F3.5
Exif.Photo.MeteringMode Short 1 Multi-segment
Exif.Photo.Flash Short 1 No, compulsory
Exif.Photo.FocalLength Rational 1 6.3 mm
Exif.Photo.MakerNote Undefined 4364 (Binary value suppressed)
Exif.MakerNote.Offset Long 1 1024
Exif.MakerNote.ByteOrder Ascii 3 II
Exif.Pentax.Version Byte 4 4.2.0.0
Exif.Pentax.Mode Short 1 Manual
Exif.Pentax.PreviewResolution Short 2 640x480
Exif.Pentax.PreviewLength Long 1 38648
Exif.Pentax.PreviewOffset Long 1 15933
Exif.Pentax.ModelID Long 1 Optio M50
Exif.Pentax.Date Undefined 4 2008:01:01
Exif.Pentax.Time Undefined 3 00:00:45
Exif.Pentax.Quality Short 1 Better
Exif.Pentax.Size Short 1 3264x2448
Exif.Pentax.Flash Short 1 Off, Did not fire
Exif.Pentax.Focus Short 1 Macro
Exif.Pentax.AFPoint Short 1 Auto
Exif.Pentax.AFPointInFocus Short 1 Top-left
Exif.Pentax.ExposureTime Long 1 38.97 ms
Exif.Pentax.FNumber Short 1 F3.5
Exif.Pentax.ISO Short 1 800
Exif.Pentax.ExposureCompensation Short 1 0 EV
Exif.Pentax.MeteringMode Short 1 Multi Segment
Exif.Pentax.WhiteBalance Short 1 Auto
Exif.Pentax.WhiteBalanceMode Short 1 Auto (Flash)
Exif.Pentax.BlueBalance Short 1 469
Exif.Pentax.RedBalance Short 1 401
Exif.Pentax.FocalLength Long 1 6.3 mm
Exif.Pentax.DigitalZoom Short 1 100
Exif.Pentax.Saturation Short 1 Normal
Exif.Pentax.Contrast Short 1 Normal
Exif.Pentax.Sharpness Short 1 Normal
Exif.Pentax.Location Short 1 Home town
Exif.Pentax.Hometown Short 1 New York
Exif.Pentax.Destination Short 1 New York
Exif.Pentax.HometownDST Short 1 No
Exif.Pentax.DestinationDST Short 1 No
Exif.Pentax.DSPFirmwareVersion Undefined 4 254 255 255 255
Exif.Pentax.ImageProcessing Undefined 4 Unprocessed
Exif.Pentax.DigitalFilter Short 1 Off
=================================================================
==12028==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000077b4 at pc 0x7fe2167a3708 bp 0x7ffcd49ceea0 sp 0x7ffcd49cee98
READ of size 4 at 0x6020000077b4 thread T0
#0 0x7fe2167a3707 in Exiv2::ValueType<unsigned int>::toLong(long) const ../include/exiv2/value.hpp:1659
#1 0x7fe2169d5b42 in Exiv2::Internal::PentaxMakerNote::printShutterCount(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) /home/afl/src/exiv2-trunk/src/pentaxmn.cpp:1193
#2 0x7fe21692bde7 in Exiv2::Metadatum::print(Exiv2::ExifData const*) const /home/afl/src/exiv2-trunk/src/metadatum.cpp:80
#3 0x46beaa in Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:757
#4 0x4721e6 in Action::Print::printMetadata(Exiv2::Image const*) /home/afl/src/exiv2-trunk/src/actions.cpp:549
#5 0x472e01 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:538
#6 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#7 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#8 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#9 0x408cd9 (/home/afl/builds/exiv2/0.26-afl-asan/bin/exiv2+0x408cd9)
0x6020000077b4 is located 0 bytes to the right of 4-byte region [0x6020000077b0,0x6020000077b4)
allocated by thread T0 here:
#0 0x7fe2178b5fff in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54fff)
#1 0x7fe2167a9efa in __gnu_cxx::new_allocator<unsigned int>::allocate(unsigned long, void const*) /usr/include/c++/4.9/ext/new_allocator.h:104
#2 0x7fe2167a9efa in __gnu_cxx::__alloc_traits<std::allocator<unsigned int> >::allocate(std::allocator<unsigned int>&, unsigned long) /usr/include/c++/4.9/ext/alloc_traits.h:182
#3 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_allocate(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:170
#4 0x7fe2167a9efa in std::_Vector_base<unsigned int, std::allocator<unsigned int> >::_M_create_storage(unsigned long) /usr/include/c++/4.9/bits/stl_vector.h:185
#5 0x7fe2167a9efa in _Vector_base /usr/include/c++/4.9/bits/stl_vector.h:136
#6 0x7fe2167a9efa in vector /usr/include/c++/4.9/bits/stl_vector.h:320
#7 0x7fe2167a9efa in ValueType ../include/exiv2/value.hpp:1544
#8 0x7fe2167a9efa in Exiv2::ValueType<unsigned int>::clone_() const ../include/exiv2/value.hpp:1632
#9 0x7fe21681abf4 in Exiv2::Value::clone() const ../include/exiv2/value.hpp:122
#10 0x7fe21681abf4 in Exiv2::Exifdatum::Exifdatum(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:221
#11 0x7fe21681cae3 in __gnu_cxx::new_allocator<Exiv2::Exifdatum>::construct(Exiv2::Exifdatum*, Exiv2::Exifdatum const&) /usr/include/c++/4.9/ext/new_allocator.h:130
#12 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_create_node(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:496
#13 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::_M_insert(std::_List_iterator<Exiv2::Exifdatum>, Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1680
#14 0x7fe21681cae3 in std::list<Exiv2::Exifdatum, std::allocator<Exiv2::Exifdatum> >::push_back(Exiv2::Exifdatum const&) /usr/include/c++/4.9/bits/stl_list.h:1029
#15 0x7fe21681cae3 in Exiv2::ExifData::add(Exiv2::Exifdatum const&) /home/afl/src/exiv2-trunk/src/exif.cpp:577
#16 0x7fe21681cb8c in Exiv2::ExifData::add(Exiv2::ExifKey const&, Exiv2::Value const*) /home/afl/src/exiv2-trunk/src/exif.cpp:571
#17 0x7fe216b9f6c1 in Exiv2::Internal::TiffDecoder::decodeStdTiffEntry(Exiv2::Internal::TiffEntryBase const*) /home/afl/src/exiv2-trunk/src/tiffvisitor.cpp:488
#18 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#19 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#20 0x7fe216af7520 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#21 0x7fe216af7520 in Exiv2::Internal::TiffIfdMakernote::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:949
#22 0x7fe216af6821 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#23 0x7fe216af6821 in Exiv2::Internal::TiffMnEntry::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:938
#24 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#25 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#26 0x7fe216af594d in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#27 0x7fe216af594d in Exiv2::Internal::TiffSubIfd::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:931
#28 0x7fe216af8ca1 in Exiv2::Internal::TiffComponent::accept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:891
#29 0x7fe216af8ca1 in Exiv2::Internal::TiffDirectory::doAccept(Exiv2::Internal::TiffVisitor&) /home/afl/src/exiv2-trunk/src/tiffcomposite.cpp:919
#30 0x7fe216b5f20b in Exiv2::Internal::TiffParserWorker::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int, unsigned int, void (Exiv2::Internal::TiffDecoder::*(*)(std::string const&, unsigned int, Exiv2::Internal::IfdId))(Exiv2::Internal::TiffEntryBase const*), Exiv2::Internal::TiffHeaderBase*) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:1907
#31 0x7fe216b5f20b in Exiv2::TiffParser::decode(Exiv2::ExifData&, Exiv2::IptcData&, Exiv2::XmpData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/tiffimage.cpp:266
#32 0x7fe21681f83a in Exiv2::ExifParser::decode(Exiv2::ExifData&, unsigned char const*, unsigned int) /home/afl/src/exiv2-trunk/src/exif.cpp:629
#33 0x7fe2168ef0fc in Exiv2::JpegBase::readMetadata() /home/afl/src/exiv2-trunk/src/jpgimage.cpp:386
#34 0x472d11 in Action::Print::printList() /home/afl/src/exiv2-trunk/src/actions.cpp:530
#35 0x491e07 in Action::Print::run(std::string const&) /home/afl/src/exiv2-trunk/src/actions.cpp:245
#36 0x407c67 in main /home/afl/src/exiv2-trunk/src/exiv2.cpp:170
#37 0x7fe2158ebb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../include/exiv2/value.hpp:1659 Exiv2::ValueType<unsigned int>::toLong(long) const
Shadow bytes around the buggy address:
0x0c047fff8ea0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8eb0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ec0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ed0: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8ee0: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
=>0x0c047fff8ef0: fa fa fd fd fa fa[04]fa fa fa 00 00 fa fa fd fa
0x0c047fff8f00: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f10: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f20: fa fa fd fd fa fa 04 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f30: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
0x0c047fff8f40: fa fa fd fd fa fa 02 fa fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==12028==ABORTING
Updated by Robin Mills over 4 years ago
- Category changed from not-a-bug to miscellaneous
- % Done changed from 100 to 20
- Estimated time changed from 1.00 h to 5.00 h
Thanks for providing a lot more information about this issue. I'm on vacation at the moment and will investigate when I get home next week.
Updated by Jacopo Guderzo over 4 years ago
The function PentaxMakerNote::printShutterCount [pentaxmn.cpp#L1168] is missing a null check for the parameter ExifData* metadata.
Gwenview uses operator<<(std::ostream& os, const Metadatum& md) to get metadata values, and with this operator the pointer is always null.
Updated by Robin Mills over 4 years ago
Are you saying that the fix is:
std::ostream& PentaxMakerNote::printShutterCount(std::ostream& os, const Value& value, const ExifData* metadata)
{
if ( ! metadata ) return os;
ExifData::const_iterator dateIt = metadata->findKey(
ExifKey("Exif.PentaxDng.Date"));
...
}Updated by Jacopo Guderzo over 4 years ago
I don't know whether it's better to return the untouched stream, to put "undefined" or to put the raw value without decoding it, but basically yes, that's the fix.
Updated by Robin Mills over 4 years ago
- % Done changed from 20 to 80
- Estimated time changed from 5.00 h to 2.00 h
Right. Thank You very much for working on this and discovering the “core” of the issue. I think you are correct, we should do something like return os << “undefined”;.
I hope to submit the fix today.
Thanks again for your help.
Updated by Robin Mills about 4 years ago
- % Done changed from 80 to 100
- Estimated time changed from 2.00 h to 8.00 h
Fix submitted to https://github.com/Exiv2/exiv2 5405d61