#71 Crash in exif_entry_fix() when e->data is NULL

closed-out-of-date
nobody
libexif (61)
5
2008-02-14
2007-05-10
STINNER Victor
No

Hi,

I generated a new file which crash libexif 0.6.13. The problem is in function exif_entry_fix(): it doesn't check e->data value which is NULLL in my case.

You can reproduce the bug which attached file (fuzzed JPEG picture with EXIF metadata).

Program received signal SIGSEGV, Segmentation fault.
(gdb) where
#0 0xb7ef4ef0 in exif_get_slong (b=0x4 <Address 0x4 out of bounds>, order=EXIF_BYTE_ORDER_MOTOROLA) at exif-utils.c:135
#1 0xb7ef5033 in exif_get_long (buf=0x4 <Address 0x4 out of bounds>, order=EXIF_BYTE_ORDER_MOTOROLA) at exif-utils.c:167
#2 0xb7eed518 in exif_entry_fix (e=0x8052c68) at exif-entry.c:189
#3 0xb7ee9e9e in fix_func (e=0x8052c68, data=0x0) at exif-content.c:230
#4 0xb7ee9d3f in exif_content_foreach_entry (content=0x80510f8, func=0xb7ee9e81 <fix_func>, data=0x0) at exif-content.c:199
#5 0xb7ee9efd in exif_content_fix (c=0x80510f8) at exif-content.c:246
#6 0xb7eecee9 in fix_func (c=0x80510f8, data=0x0) at exif-data.c:1170
#7 0xb7eecb23 in exif_data_foreach_content (data=0x8051058, func=0xb7eece3d <fix_func>, user_data=0x0) at exif-data.c:1035
#8 0xb7eecf1e in exif_data_fix (d=0x8051058) at exif-data.c:1177
#9 0xb7eec628 in exif_data_load_data (data=0x8051058, d_orig=0x80511c0 "Exif", ds_orig=5126) at exif-data.c:875
#10 0xb7ef3a4a in exif_loader_get_data (loader=0x8051020) at exif-loader.c:379
#11 0xb7eec7e9 in exif_data_new_from_file (path=0xbfea26af "/home/haypo/crash_libexif3.jpg") at exif-data.c:926

(gdb) frame 2
(gdb) print *e
$2 = {tag = EXIF_TAG_WHITE_BALANCE, format = EXIF_FORMAT_LONG, components = 2752513, data = 0x0, size = 0, parent = 0x80510f8,
priv = 0x8052c88}
(gdb) print e
$1 = (ExifEntry *) 0x8052c68

Victor Stinner (INL)

Discussion

  • STINNER Victor
    STINNER Victor
    2007-05-10

     
    Attachments
  • Dan Fandrich
    Dan Fandrich
    2008-01-24

    Logged In: YES
    user_id=236775
    Originator: NO

    I am unable to reproduce this on libexif 0.6.16. What command-line did you use?

     
  • Lutz Müller
    Lutz Müller
    2008-02-14

    • status: open --> closed-out-of-date
     
  • Lutz Müller
    Lutz Müller
    2008-02-14

    Logged In: YES
    user_id=58652
    Originator: NO

    I can't reproduce neither using the current version. This has probably been fixed a long time ago.