Project

General

Profile

Bug #1346

Assertion failure in Exiv2::Internal::CiffComponent::doRead() in libexiv2

Added by Sanjay Rawat over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Robin Mills
Category:
image format
Target version:
0.27
Start date:
21 Apr 2018
Due date:
% Done:

100%

Estimated time:
2.00 h

Description

Hi,
I found a failure assertion event in libevix2(0.26 001a00, 64 bit). To reproduce,
$ exiv2 input_file

The input that triggered the failure is attached.
GDB output: ====
@(gdb) r
Starting program: /usr/local/bin/exiv2 outd/crashInputs/exiv2-2018-04-06T00-08-51.535163.exi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
exiv2: crwimage_int.cpp:241: virtual void Exiv2::Internal::CiffComponent::doRead(const byte*, uint32_t, uint32_t, Exiv2::ByteOrder): Assertion `dl directoryData || dl valueData' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6e29c37 in GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff6e29c37 in _GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6e2d028 in __GI_abort () at abort.c:89
#2 0x00007ffff6e22bf6 in __assert_fail_base (fmt=0x7ffff6f77058 "%s%s%s:%u: s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x7ffff78cb080 "dl directoryData || dl valueData", file=file@entry=0x7ffff78cafd5 "crwimage_int.cpp", line=line@entry=241,
function=function@entry=0x7ffff78cb9a0 <Exiv2::Internal::CiffComponent::doRead(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder)::_PRETTY_FUNCTION> "virtual void Exiv2::Internal::CiffComponent::doRead(const byte*, uint32_t, uint32_t, Exiv2::ByteOrder)") at assert.c:92
#3 0x00007ffff6e22ca2 in GIassert_fail (assertion=0x7ffff78cb080 "dl directoryData || dl valueData", file=0x7ffff78cafd5 "crwimage_int.cpp", line=241,
function=0x7ffff78cb9a0 <Exiv2::Internal::CiffComponent::doRead(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder)::_PRETTY_FUNCTION__> "virtual void Exiv2::Internal::CiffComponent::doRead(const byte*, uint32_t, uint32_t, Exiv2::ByteOrder)") at assert.c:101
#4 0x00007ffff77ad96f in Exiv2::Internal::CiffComponent::doRead(unsigned char const*, unsigned int, unsigned int, Exiv2::ByteOrder) () from /usr/local/lib/libexiv2.so.26
#5 0x00007ffff77adb15 in Exiv2::Internal::CiffDirectory::readDirectory(unsigned char const*, unsigned int, Exiv2::ByteOrder) () from /usr/local/lib/libexiv2.so.26
#6 0x00007ffff77b4997 in Exiv2::CrwParser::decode(Exiv2::CrwImage*, unsigned char const*, unsigned int) () from /usr/local/lib/libexiv2.so.26
#7 0x00007ffff77b5258 in Exiv2::CrwImage::readMetadata() () from /usr/local/lib/libexiv2.so.26
#8 0x000000000041bdfd in Action::Print::printSummary() ()
#9 0x000000000041e1a8 in Action::Print::run(std::string constx%x) ()
#10 0x0000000000406bba in main ()
@

Thanks
-Sanjay

Files

exiv2-2018-04-06T00-08-51.535163.exi (4.32 KB) exiv2-2018-04-06T00-08-51.535163.exi Sanjay Rawat, 21 Apr 2018 09:33

History

#1

Updated by Robin Mills over 3 years ago

  • Category set to image format
  • Status changed from New to Assigned
  • Assignee set to Robin Mills
  • Target version set to 0.27
  • % Done changed from 0 to 10
  • Estimated time set to 4.00 h

Thanks for reporting this. I've reproduced this and will investigate.

#2

Updated by Robin Mills over 3 years ago

  • % Done changed from 10 to 50
  • Estimated time changed from 4.00 h to 2.00 h

Thanks for reporting this. I've replaced an assert with a throw and that makes the crash disappear. I'd like to discuss assert() with Team Exiv2. We have a new error mechanism in development at the moment and we should consider redefining assert() appropriately. Here's my fix:

540 rmills@rmillsmbp:~/gnu/github/exiv2/exiv2 $ git diff src/crwimage_int.cpp 
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index fae860f1..a85d2c08 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -238,7 +238,9 @@ namespace Exiv2 {
         tag_ = getUShort(pData + start, byteOrder);

         DataLocId dl = dataLocation();
-        assert(dl == directoryData || dl == valueData);
+        if ( dl != directoryData && dl != valueData ) {
+            throw Error(kerCorruptedMetadata);
+        }

         if (dl == valueData) {
             size_   = getULong(pData + start + 2, byteOrder);
541 rmills@rmillsmbp:~/gnu/github/exiv2/exiv2 $
I will raise an issue on GitHub about this and it will be fixed and tracked there. I'll close this issue when the GitHub version is resolved.

#3

Updated by Robin Mills about 3 years ago

Sanjay: I'm reviewing all outstanding issues in preparation for Exiv2 v0.27 RC1 which will be released in October. There are 8 open issues on Redmine and 3 of them were reported by you. #1340, #1345 and #1346. They will receive attention before Exiv2 v0.27 GM which will be in December.

#4

Updated by Sanjay Rawat about 3 years ago

Thank you Robin for keeping an eye on them :)

#5

Updated by Robin Mills about 3 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 50 to 100

Fixed on 'master' and should be available on Exiv2 v0.27 RC2 available 2018-11-15 http://exiv2.dyndns.org

555 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $ bin/exiv2 -pR ~/Downloads/exiv2-2018-04-06T00-08-51.535163.exi 
Exiv2 exception in print action for file /Users/rmills/Downloads/exiv2-2018-04-06T00-08-51.535163.exi:
Image type /Users/rmills/Downloads/exiv2-2018-04-06T00-08-51.535163.exi is not supported
556 rmills@rmillsmbp:~/gnu/github/exiv2/master/build $

Also available in: Atom PDF