Through applying concolic testing to the libexif library code,
we found several divide-by-zero bugs in maker note parsing code.
For example, mnote_olympus_entry_get_value() in libexif/olympus/mnote-olympus-entry.c
reads a rational value in line 371 and divides vr.numerator by v4.denominator in line 372 without
checking vr.denominator is not zero. Similar bugs are in line 374, 382, 393, 394 and so on.
368 case MNOTE_NIKON_TAG_WHITEBALANCERB:
369 CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen);
370 CC (entry->components, 4, v, maxlen);
371 vr = exif_get_rational (entry->data, entry->order);
372 r = (double)vr.numerator / vr.denominator;
373 vr = exif_get_rational (entry->data+8, entry->order);
374 b = (double)vr.numerator / vr.denominator;
375 snprintf (v, maxlen, _("Red Correction %f, blue Correction %f"), r,b);
376 break;
Thank-you for reporting this issue. It has been assigned CVE-2012-2837 and has been fixed in the just-released libexif version 0.6.21.