Tracker: Bugs
Hi,
I wrote a fuzzer program and try it on all programs. I found a serious bug
in your libexif library!
At libexif/exif-data.c line 186, function exif_data_load_data_entry():
/* Sanity check */
if (size < doff + s)
return;
entry->data = exif_data_alloc (data, s);
if (entry->data) {
entry->size = s;
memcpy (entry->data, d + doff, s);
}
Your code looks valid but looks try with:
s=296
doff=4294901874
s=65535
doff+s is 4294967409 and 4294967409 is smaller than s. Ok but we are in C
world and C language use modulo 2^32 (2^sizeof(int)) and so: doff+s is 113
!
I don't know how to detect overflow but I wrote these other tests:
if (size < s)
return;
if (size < doff)
return;
A better idea would be to check s and doff value since doff bigger than
file size and/or bigger than 2^31 looks to be an invalid value.
Victor
Hans Ulrich Niedermann
libexif
None
Public
Comments ( 2 )
|
Date: 2007-05-10 15:36
|
|
Date: 2007-05-09 23:36
|
Attached File ( 1 )
| Filename | Description | Download |
|---|---|---|
| crash_libexif.jpg | File to crash libexif | Download |
Changes ( 7 )
| Field | Old Value | Date | By |
|---|---|---|---|
| priority | 5 | 2007-05-10 15:36 | hun |
| status_id | Open | 2007-05-10 15:36 | hun |
| resolution_id | None | 2007-05-10 15:36 | hun |
| close_date | - | 2007-05-10 15:36 | hun |
| assigned_to | nobody | 2007-05-10 15:36 | hun |
| is_private | 1 | 2007-05-10 15:36 | hun |
| File Added | 228567: crash_libexif.jpg | 2007-05-09 23:36 | haypo |
About SourceForge
Develop Software
Community
Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use
