Project

General

Profile

Bug #1353

Segmentation fault in the software exiv2 when the function Exiv2::tEXtToDataBuf() is finished

Added by chung-yi lin over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
image format
Target version:
Start date:
22 May 2018
Due date:
% Done:

100%

Estimated time:
1.00 h

Description

Triggered by ./exiv2 -pR POC

Description of problem:

Version-Release number of selected component (if applicable):

0.26

How reproducible:

./exiv2 -pR POC

Steps to Reproduce:

The output information is as follows:
$ ./exiv2 -pR POC
STRUCTURE OF PNG FILE: POC
address | chunk | length | data | checksum
8 | IHDR | 13 | ... ... .... | 0x44a48ac6
33 | QEXt | 25 | Software.Adobe ImageReady | 0x71c9653c
70 | PL | 15 | ..... ... .... | 0x44a48ac6
97 | tEXt | 25 | Software.Adobe IpHYsReady | 0x71c9653c
Segmentation fault (core dumped)

GDB debugging information is as follows:
(gdb) set args -pR POC
(gdb) r
STRUCTURE OF PNG FILE: POC
address | chunk | length | data | checksum
8 | IHDR | 13 | ... ... .... | 0x44a48ac6
33 | QEXt | 25 | Software.Adobe ImageReady | 0x71c9653c
70 | PL | 15 | ..... ... .... | 0x44a48ac6
97 | tEXt | 25 | Software.Adobe IpHYsReady | 0x71c9653c

Program received signal SIGSEGV, Segmentation fault.
0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a " ")
at pngimage.cpp:164

164 if ( value[p[i]] )
(gdb) bt
#0 0x00000000008031f9 in Exiv2::tEXtToDataBuf (result=..., length=4294967295, bytes=0xec140a " ")
at pngimage.cpp:164
#1 Exiv2::PngImage::printStructure (this=0xec0aa0, out=..., option=Exiv2::kpsRecursive, depth=0)
at pngimage.cpp:306
#2 0x000000000046bdc5 in Action::Print::printStructure (this=this@entry=0xec1bd0, out=...,
option=option@entry=Exiv2::kpsRecursive) at actions.cpp:283
#3 0x0000000000486d52 in Action::Print::run (this=0xec1bd0, path="POC") at actions.cpp:247
#4 0x000000000040772d in main (argc=<optimized out>, argv=<optimized out>) at exiv2.cpp:166

(gdb) list
159 // header is \nsomething\n number\n hex
160 while ( count < 3 )
161 if ( *p++ == '\n' )
162 count++;
163 for ( long i = 0 ; i < length ; i++ ){
164 if ( value[p[i]] )
165 ++count;
166 }
167 result.alloc((count+1)/2) ;
168

(gdb) info all-registers
rax 0x69 105
rbx 0xec13f0 15471600
rcx 0x1d3c7 119751
rdx 0x0 0
rsi 0x0 0
rdi 0x69 105
rbp 0xec1c36 0xec1c36
rsp 0x7fffffffe070 0x7fffffffe070
r8 0x69 105
r9 0x0 0
r10 0xffffffffffffffff -1
r11 0x0 0
r12 0x7fffffffe230 140737488347696
r13 0xec0aa0 15469216
r14 0xffffffff 4294967295
r15 0xec0c60 15469664
rip 0x8031f9 0x8031f9 <Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)+16057>
eflags 0x10297 [ CF PF AF SF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1f80 [ IM DM ZM OM UM PM ]


Files

POC (266 Bytes) POC chung-yi lin, 22 May 2018 05:53

History

#1

Updated by Robin Mills over 1 year ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Estimated time set to 1.00 h

We will not accept bug reports which use the option -pR. That option is provided for debugging only. In v0.27, it will only be provided on builds with the DEBUG flag. And even then, we will not accept bug reports about it. Exiv2 is a library. The command-line program exiv2(.exe) is a test harness and should never be deployed for production purposes.

Also available in: Atom PDF