EXIF Tag Parsing Library / Bugs / #108 Divide-by-zero bug in maker note parsing code

#108 Divide-by-zero bug in maker note parsing code

Status: closed-fixed

Owner: Dan Fandrich

Labels: libexif (62)

Priority: 5

Updated: 2012-07-12

Created: 2011-11-07

Creator: Yunho Kim

Private: No

Through applying concolic testing to the libexif library code,
we found several divide-by-zero bugs in maker note parsing code.

For example, mnote_olympus_entry_get_value() in libexif/olympus/mnote-olympus-entry.c
reads a rational value in line 371 and divides vr.numerator by v4.denominator in line 372 without
checking vr.denominator is not zero. Similar bugs are in line 374, 382, 393, 394 and so on.

368 case MNOTE_NIKON_TAG_WHITEBALANCERB:
369 CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen);
370 CC (entry->components, 4, v, maxlen);
371 vr = exif_get_rational (entry->data, entry->order);
372 r = (double)vr.numerator / vr.denominator;
373 vr = exif_get_rational (entry->data+8, entry->order);
374 b = (double)vr.numerator / vr.denominator;
375 snprintf (v, maxlen, _("Red Correction %f, blue Correction %f"), r,b);
376 break;

Discussion

Dan Fandrich - 2012-07-12

Thank-you for reporting this issue. It has been assigned CVE-2012-2837 and has been fixed in the just-released libexif version 0.6.21.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2012-07-12

assigned_to: nobody --> dfandrich

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dan Fandrich - 2012-07-12

status: open-fixed --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Divide-by-zero bug in maker note parsing code

Group

Searches

Help

#108 Divide-by-zero bug in maker note parsing code

Discussion