Bug #1340
Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure()
100%
Description
Hi,
I have found few infinite loop bugs in the libexiv2 (0.26 001a00) with the following commandline:
exiv2 POC.
With GDB, follwing is the output:
@
(gdb) bt
#0 0x00007ffff6ee2360 in _read_nocancel ()
at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff6e6d5b0 in _IO_new_file_underflow (fp=0x6376a0) at fileops.c:613
#2 0x00007ffff6e6c3a8 in __GI_IO_file_xsgetn (fp=0x6376a0,
data=<optimized out>, n=4) at fileops.c:1418
#3 0x00007ffff6e6186f in _GI_IO_fread (buf=<optimized out>, size=1,
count=4, fp=0x6376a0) at iofread.c:42
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
#5 0x00007ffff77dc178 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, int, unsigned long) ()
from /usr/local/lib/libexiv2.so.26
#6 0x00007ffff784db13 in Exiv2::TiffImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) () from /usr/local/lib/libexiv2.so.26
#7 0x00007ffff784d586 in Exiv2::TiffImage::readMetadata() ()
from /usr/local/lib/libexiv2.so.26
#8 0x000000000041bdfd in Action::Print::printSummary() ()
#9 0x000000000041e1a8 in Action::Print::run(std::string const&) ()
#10 0x0000000000406bba in main ()
(gdb) f 4
#4 0x00007ffff77db9f1 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&, std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int) ()
from /usr/local/lib/libexiv2.so.26
(gdb) list
76 in ../sysdeps/unix/syscall-template.S
@
From this appear that the problem in is Exiv2::Image::printIFDStructure(). I have attached two inputs as POC that exhibit the behavior.
Thanks & Regards
Files
History
Updated by Robin Mills over 3 years ago
- Category set to metadata
- Status changed from New to Assigned
- Assignee set to Robin Mills
- Target version set to 0.27
- % Done changed from 0 to 30
- Estimated time set to 2.00 h
Thanks for reporting this. I've reproduced this on 'master'. There is a known fix for this: http://dev.exiv2.org/boards/3/topics/3080
The work to push this fix into 'master' is PR#180 https://github.com/Exiv2/exiv2/pull/180 I'm not sure why integrating PR#180 has been delayed, however it is most certainly in progress.
Because I don't anticipate new/unanticipated work to deal with this, I will leave this issue open to ensure that we test your files when PR#180 is completed. I believe we'll add your files our test suite at that time.
Updated by Robin Mills about 3 years ago
- Subject changed from Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure() to Infinite loop bugs in Libexiv2 Exiv2::Image::printIFDStructure()
Updated by Robin Mills about 3 years ago
- Status changed from Assigned to Closed
- % Done changed from 30 to 100
Fixed in master and should be included in Exiv2 v0.27 RC2 on 15 November 2018 http://exiv2.dyndns.org
553 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $ bin/exiv2 -pR ~/Downloads/*.exi
STRUCTURE OF TIFF FILE (MM): /Users/rmills/Downloads/extraint-1386.exi
address | tag | type | count | offset | value
4618 | 0x00fe NewSubfileType | LONG | 1 | | 0
4630 | 0x0100 ImageWidth | LONG | 1 | | 160
4642 | 0x0101 ImageLength | LONG | 1 | | 160
4654 | 0x0102 BitsPerSample | SHORT | 3 | 4934 | 8 8 8
4666 | 0x0103 Compression | SHORT | 1 | | 6
4678 | 0x0106 PhotometricInterpretation | SHORT | 1 | | 6
4690 | 0x0111 StripOffsets | LONG | 1 | | 610
4702 | 0x0115 SamplesPerPixel | SHORT | 1 | | 3
4714 | 0x0116 RowsPerStrip | LONG | 1 | | 160
4726 | 0x0117 StripByteCounts | LONG | 1 | | 3447
4738 | 0x011a XResolution | RATIONAL | 1 | 4940 | 200/2
4750 | 0x011b YResolution | RATIONAL | 1 | 4948 | 200/2
4762 | 0x011c PlanarConfiguration | SHORT | 1 | | 1
4774 | 0x0128 ResolutionUnit | SHORT | 1 | | 2
4786 | 0x0131 Software | ASCII | 11 | 4956 | HP IL v1.1
4798 | 0x0200 JPEGProc | SHORT | 1 | | 1
4810 | 0x0201 JPEGInterchangeFormat | LONG | 1 | | 8
4822 | 0x0202 JPEGInterchangeFormatLength | LONG | 1 | | 4608
4834 | 0x0203 JPEGRestartInterval | SHORT | 1 | | 0
4846 | 0x0207 JPEGQTables | LONG | 3 | 4968 | 34 103 103
4858 | 0x0208 JPEGDCTables | LONG | 3 | 4980 | 172 205 205
4870 | 0x0209 JPEGACTables | LONG | 3 | 4992 | 238 421 421
4882 | 0x0211 YCbCrCoefficients | RATIONAL | 3 | 5004 | 2990/10000 5870/10000 1140/10000
4894 | 0x0212 YCbCrSubSampling | SHORT | 2 | | 2 2
4906 | 0x0213 YCbCrPositioning | SHORT | 1 | | 1
4918 | 0x0214 ReferenceBlackWhite | LONG | 6 | 5028 | 0 255 128 255 128 ...
Exiv2 exception in print action for file /Users/rmills/Downloads/extraint-1386.exi:
corrupted image metadata
STRUCTURE OF TIFF FILE (II): /Users/rmills/Downloads/new-252-g125.exi
Exiv2 exception in print action for file /Users/rmills/Downloads/new-252-g125.exi:
corrupted image metadata
554 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $