#114 Integer overflow in libexif/canon/exif-mnote-data-canon.c

pending-invalid
nobody
libexif (61)
5
2013-01-08
2013-01-08
chendong
No

Through applying testing to the libexif 0.6.21,
we found that libexif has four integer overflow bugs in
exif_mnote_data_canon_save in libexif/canon/exif-mnote-data-canon.c
exif_mnote_data_fuji_save in libexif/fuji/exif-mnote-data-fuji.c
exif_mnote_data_olympus_save in libexif/olypus/exif-mnote-data-olympus.c
exif_mnote_data_pentax_save in libexif/pentax/exif-mnote-data-pentax.c

in exif_mnote_data_canon_save
The bug is in line 131. When the 2 + n->count * 12 + 4 is larger than UINT_MAX, 2 + n->count * 12 + 4 becomes smaller due to integer overflow. Thus exif_mem_alloc in line 132 may get a smaller memory than expected. Then exif_set_short in line 144 may access invalid memory address, which causes segmentation fault,or unexpected results.

other 3 bugs are similar.

131 *buf_size = 2 + n->count * 12 + 4;
132 *buf = exif_mem_alloc (ne->mem, sizeof (char) * *buf_size);
133 if (!*buf) {
134 EXIF_LOG_NO_MEMORY(ne->log, "ExifMnoteCanon", *buf_size);
135 return;
136 }
137
138 /* Save the number of entries */
139 exif_set_short (*buf, n->order, (ExifShort) n->count);
140
141 /* Save each entry */
142 for (i = 0; i < n->count; i++) {
143 o = 2 + i * 12;
144 exif_set_short (*buf + o + 0, n->order, (ExifShort) n->entries[i].tag);

Discussion

  • Dan Fandrich
    Dan Fandrich
    2013-01-08

    But count is limited to several factors less than 65535 here, and libexif assumes ints are at least 32 bits wide. I don't see how this can overflow. Is this a theoretical problem, or do you have an image that causes such an overflow?

     
  • chendong
    chendong
    2013-01-08

    this is a theoretical problem, I do not have that image.
    I do not see that count is less than 65535.

     
  • Dan Fandrich
    Dan Fandrich
    2013-01-08

    The size of an EXIF block is at maximum 65536 bytes, so at the absolute maximum, any makernote is going to have somewhat less than that number of bytes available. Since all the makernote tags take several bytes each at minimum, it's not possible for count to ever be more than a few thousand, hence no overflow is possible.

     
  • Dan Fandrich
    Dan Fandrich
    2013-01-08

    • status: open --> pending-invalid