#107 Integer overflow in libexif/exif-data.c

closed-fixed
libexif (61)
5
2012-07-12
2011-11-07
Yunho Kim
No

Through applying concolic testing to the libexif library code,
we found that libexif has an integer overflow bugs in exif_data_load_data in libexif/exif-data.c

The bug is in line 901. When the offset + 6 +2 is larger than UINT_MAX, offset + 6 + 2 becomes smaller than ds
due to integer overflow. Thus, exif_get_short() in line 904 may access invalid memory address, which causes segmentation fault,
or unexpected results.

893 offset = exif_get_long (d + 10, data->priv->order);
894 exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
895 "IFD 0 at %i.", (int) offset);
896
897 /* Parse the actual exif data (usually offset 14 from start) */
898 exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset, 0);
899
900 /* IFD 1 offset */
901 if (offset + 6 + 2 > ds) {
902 return;
903 }
904 n = exif_get_short (d + 6 + offset, data->priv->order);
905 if (offset + 6 + 2 + 12 * n + 4 > ds) {

Discussion

  • Dan Fandrich

    Dan Fandrich - 2012-07-12
    • assigned_to: nobody --> dfandrich
    • status: open --> closed-fixed
     
  • Dan Fandrich

    Dan Fandrich - 2012-07-12

    Thank-you for reporting this issue. It has been assigned CVE-2012-2836 and has been fixed in the just-release libexif version 0.6.21.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks