Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#108 Divide-by-zero bug in maker note parsing code

closed-fixed
Dan Fandrich
libexif (61)
5
2012-07-12
2011-11-07
Yunho Kim
No

Through applying concolic testing to the libexif library code,
we found several divide-by-zero bugs in maker note parsing code.

For example, mnote_olympus_entry_get_value() in libexif/olympus/mnote-olympus-entry.c
reads a rational value in line 371 and divides vr.numerator by v4.denominator in line 372 without
checking vr.denominator is not zero. Similar bugs are in line 374, 382, 393, 394 and so on.

368 case MNOTE_NIKON_TAG_WHITEBALANCERB:
369 CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen);
370 CC (entry->components, 4, v, maxlen);
371 vr = exif_get_rational (entry->data, entry->order);
372 r = (double)vr.numerator / vr.denominator;
373 vr = exif_get_rational (entry->data+8, entry->order);
374 b = (double)vr.numerator / vr.denominator;
375 snprintf (v, maxlen, _("Red Correction %f, blue Correction %f"), r,b);
376 break;

Discussion

  • Dan Fandrich
    Dan Fandrich
    2012-07-12

    Thank-you for reporting this issue. It has been assigned CVE-2012-2837 and has been fixed in the just-released libexif version 0.6.21.

     
  • Dan Fandrich
    Dan Fandrich
    2012-07-12

    • assigned_to: nobody --> dfandrich
    • status: open --> open-fixed
     
  • Dan Fandrich
    Dan Fandrich
    2012-07-12

    • status: open-fixed --> closed-fixed