[multi] exifprobe-multi-memory-error in exifprobe.2.0.1 && Cve Request

Tue, 29 Dec 2015 08:47:15 -0800

Attachment: bug1_3
Description: Binary data

Attachment: bug2_4
Description: Binary data


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


product:exifprobe
tag:security
affected version: only tested 2.0.1(latest)
reproduce:
exifprobe bug1_3
exifprobe bug2_4

CASE1: SEGV

@0x000031c=796     :            **** next IFD offset 53620784  (+ 12 = 
0x332303c/53620796)
@0x0000320=800     :          ============= VALUES, EXIF IFD ============
@0x0000348=840     :          ExposureTime                = 0 sec
@0x0000350=848     :          FNumber                     = 4.33 APEX = 'f4.5'
@0x002000c=131084  :          TAG_0x2582                  =  FAILED to read 
unsigned short value at offset 131084 (EOF)

@0x0000320=800     :          DateTimeOriginal            = '6:03:11 
14:49:13A\372\377\373'
@0x0000334=820     :          DateTimeDigitized           = 
'\0\0\0d\0\0\002\241\0\0\0d\0\0\001\261\0\0\0d'
@0x0000358=856     :          TAG_0xb23f                  = 1
@0x0000360=864     :          ShutterSpeedValue           = 1 APEX = '0.5 sec'
@0x0000368=872     :          ApertureValue               = 1.00392 APEX = 
'f1.4'
@0x0000370=880     :          ExposureBiasValue           = 13.3027 APEX
@0x0000378=888     :          MaxApertureValue            = 0.741181 APEX = 
'f1.3'
@0x002000c=131084  :          MeteringMode                =  FAILED to read 
unsigned short value at offset 131084 (EOF)

@0x0000380=896     :          FocalLength                 = 11.8355 mm
ASAN:SIGSEGV
=================================================================
==13382== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 
0x7fc4b52d75c8 sp 0x7ffffb00e640 bp 0x7ffffb00e690 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fc4b52d75c7 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x105c7)
    #1 0x474953 (/usr/bin/exifprobe+0x474953)
    #2 0x4448f3 (/usr/bin/exifprobe+0x4448f3)
    #3 0x43c6bd (/usr/bin/exifprobe+0x43c6bd)
    #4 0x4478bc (/usr/bin/exifprobe+0x4478bc)
    #5 0x44a56d (/usr/bin/exifprobe+0x44a56d)
    #6 0x403a5c (/usr/bin/exifprobe+0x403a5c)
    #7 0x7fc4b4c15a3f (/lib/x86_64-linux-gnu/libc-2.21.so+0x20a3f)
    #8 0x405d68 (/usr/bin/exifprobe+0x405d68)
==13382== ABORTING

CASE2:  global-buffer-overflow

@0x00005e0=1504    :          <0x0100=  256> ImageWidth                  [6 
=SBYTE     4093772288]  = @0x400000c=67108876
FAILED to read 4 unsigned bytes at offset 1524 (EOF)
=================================================================
==29216== ERROR: AddressSanitizer: global-buffer-overflow on address 
0x000000503260 at pc 0x409a54 bp 0x7ffff05c1960 sp 0x7ffff05c1958
READ of size 4 at 0x000000503260 thread T0
    #0 0x409a53 (/usr/bin/exifprobe+0x409a53)
    #1 0x44357f (/usr/bin/exifprobe+0x44357f)
    #2 0x43c6bd (/usr/bin/exifprobe+0x43c6bd)
    #3 0x4478bc (/usr/bin/exifprobe+0x4478bc)
    #4 0x44a56d (/usr/bin/exifprobe+0x44a56d)
    #5 0x403a5c (/usr/bin/exifprobe+0x403a5c)
    #6 0x7f0862268a3f (/lib/x86_64-linux-gnu/libc-2.21.so+0x20a3f)
    #7 0x405d68 (/usr/bin/exifprobe+0x405d68)
0x000000503261 is located 0 bytes to the right of global variable '*.LC22 
(readfile.c)' (0x503260) of size 1
  '*.LC22 (readfile.c)' is ascii string ''
Shadow bytes around the buggy address:
  0x0000800985f0: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080098600: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
  0x000080098610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
  0x000080098620: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 00 00 00
  0x000080098630: 00 00 02 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
=>0x000080098640: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9[01]f9 f9 f9
  0x000080098650: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x000080098660: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080098670: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
  0x000080098680: f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
  0x000080098690: 00 00 00 04 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==29216== ABORTING

—
Chen Qin / Topsec Product Security Team
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJWglL3AAoJEIVElDCpqHYP9nIQANK7TM60fTGyIuOprHL2g0Vq
jOF6LKn/JFwnRJSFSHXTMPnK5jGyGI6KBZIqinbYAp2UrzYX0ckNkeCLSgsHh+o8
p7L1lc1OW3/dYl0wvEEfYURD6icywjcheFuEmxf9yxHdHaaiMfannPWHBjcrjnFJ
pOdHq/se86C2YMonl779LHFDo4e5ljHhYWqFQZMAo820/E7FBbmRnrF2+ptyl/UZ
NClwaOEHzSva/76pLUWwcEWBW3d6x/JS+5mb18kks/rEFjXdk7vWuikLxeMx4HJj
0Qby7kD9+kuGp1Wg6sdeqKJ/sIPq5g7TQwSghVyTzuwLTE1icVw8a2YFAukNXCY1
NdzVasR1Ib5mClXjin84uaIQ1dbDnmvxgVeM9FC+dLCAmiH3NSTPy+4FkE5dwMQi
dO6NxrwIjuBzVZvAGB60lgMuB3T9oZYRiEX6uXyvj6OToowPpO0p6k6nYAtUCOPv
fTz9zwUcNCJrZlkTZeIUz4FkL+Qz8pI6dR6cM3pqipD4eLkreUJGoOmNNWbSrxn8
rxTdPn/H0JVJe1uMunRyF5ZM490Qg4K/29yVD1OrFj1DyW5gXFLeGfHRVELRDS/8
VjHYQaxVMtzUMvTUkta3DlHHGDYOcJ4pqaJW8E5nKNdqn1BuLGSnPj6PrXQh19JO
wHMYeXXU4N2Q8oYHQVSr
=KnUC
-----END PGP SIGNATURE-----

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers

Reply via email to