#129 Out-of-Bounds Read - exif_data_save_data_entry

[Joaquim Espinhara]

Out-of-Bounds Read

Version: 0.6.21
Trigger: exif -c file
Only tested in Linux x86 and x64.

Hey guys, there's a OOB Read when trying to write or remove tags in a raw file. To crash the libexif, for now, I was using the exif tool as frontend. If you agree can you assign a CVE number, please?

root@vulndev01:~/src/crashes# exif -cd file
ExifLoader: Scanning 1024 byte(s) of data...
exif-content: Tag 'XResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ResolutionUnit' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YCbCrPositioning' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ExifVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ComponentsConfiguration' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'FlashPixVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ColorSpace' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelXDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelYDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif: Adding entry...
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
Segmentation fault
root@vulndev01:~/src/crashes#

=================================================================
==2199==ERROR: AddressSanitizer: unknown-crash on address 0xb1a0a200 at pc 0xb718ae34 bp 0xbf8e10a8 sp 0xbf8e109c
READ of size 134416 at 0xb1a0a200 thread T0
    #0 0xb718ae33 in exif_data_save_data_entry /root/libexif-0.6.21/libexif/exif-data.c:298
#1 0xb718ae33 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:582
#2 0xb7189b19 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:609
#3 0xb718da8c in exif_data_save_data /root/libexif-0.6.21/libexif/exif-data.c:984
#4 0x8050dc7 in jpeg_data_save_data /root/exif-0.6.21/libjpeg/jpeg-data.c:145
#5 0x80519e6 in jpeg_data_save_file /root/exif-0.6.21/libjpeg/jpeg-data.c:97
#6 0x804c206 in action_save /root/exif-0.6.21/exif/actions.c:183
#7 0x804a6e0 in main /root/exif-0.6.21/exif/main.c:462
#8 0xb6f8aa62 in libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)
#9 0x804afda (/usr/local/bin/exif+0x804afda)**

0xb1a0e3a2 is located 0 bytes to the right of 16802-byte region [0xb1a0a200,0xb1a0e3a2)
allocated by thread T0 here:
    #0 0xb7255954 in realloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e954)
    #1 0xb719f8bb in exif_mem_realloc_func /root/libexif-0.6.21/libexif/exif-mem.c:23

SUMMARY: AddressSanitizer: unknown-crash /root/libexif-0.6.21/libexif/exif-data.c:298 exif_data_save_data_entry
Shadow bytes around the buggy address:
  0x363413f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36341430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36341440:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36341490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==2199==ABORTING

[Dan Fandrich]

I'm looking at a similar issue now. I hope to have the time to investigate this by next week.

[Joaquim Espinhara]

Hi Dan, hope you're doing great. Looks like someone else create an open
ticket with public visibility, reading the description looks like the same
bug but I'm not sure if it is, however just notice that the zip file is
password protected.

https://sourceforge.net/p/libexif/bugs/130/

Cheers.

On Tue, May 30, 2017 at 6:24 AM, Dan Fandrich dfandrich@users.sf.net
wrote:

I'm looking at a similar issue now. I hope to have the time to investigate
this by next week.

---

• [bugs:#129] https://sourceforge.net/p/libexif/bugs/129/ Out-of-Bounds
  Read - exif_data_save_data_entry*

Status: open
Group:
Created: Mon May 29, 2017 01:37 PM UTC by Joaquim Espinhara
Last Updated: Mon May 29, 2017 01:37 PM UTC
Owner: Dan Fandrich
Attachments:

• raw-file
  https://sourceforge.net/p/libexif/bugs/129/attachment/raw-file (6.8
  kB; application/octet-stream)

Out-of-Bounds Read

Version: 0.6.21
Trigger: exif -c file
Only tested in Linux x86 and x64.

Hey guys, there's a OOB Read when trying to write or remove tags in a raw
file. To crash the libexif, for now, I was using the exif tool as frontend.
If you agree can you assign a CVE number, please?

root@vulndev01:~/src/crashes# exif -cd file
ExifLoader: Scanning 1024 byte(s) of data...
exif-content: Tag 'XResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YResolution' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ResolutionUnit' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'YCbCrPositioning' is mandatory in IFD '0' and has therefore been added.
exif-content: Tag 'ExifVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ComponentsConfiguration' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'FlashPixVersion' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'ColorSpace' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelXDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif-content: Tag 'PixelYDimension' is mandatory in IFD 'EXIF' and has therefore been added.
exif: Adding entry...
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
ExifData: Saving IFDs...
ExifData: Saving 5 entries (IFD '0', offset: 10)...
ExifData: Saving 6 entries (IFD 'EXIF', offset: 124)...
ExifData: Saved 206 byte(s) EXIF data.
Segmentation fault
root@vulndev01:~/src/crashes#

=================================================================
==2199==ERROR: AddressSanitizer: unknown-crash on address 0xb1a0a200 at pc 0xb718ae34 bp 0xbf8e10a8 sp 0xbf8e109c
READ of size 134416 at 0xb1a0a200 thread T0
#0 0xb718ae33 in exif_data_save_data_entry /root/libexif-0.6.21/libexif/exif-data.c:298

1 0xb718ae33 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:582

2 0xb7189b19 in exif_data_save_data_content /root/libexif-0.6.21/libexif/exif-data.c:609

3 0xb718da8c in exif_data_save_data /root/libexif-0.6.21/libexif/exif-data.c:984

4 0x8050dc7 in jpeg_data_save_data /root/exif-0.6.21/libjpeg/jpeg-data.c:145

5 0x80519e6 in jpeg_data_save_file /root/exif-0.6.21/libjpeg/jpeg-data.c:97

6 0x804c206 in action_save /root/exif-0.6.21/exif/actions.c:183

7 0x804a6e0 in main /root/exif-0.6.21/exif/main.c:462

8 0xb6f8aa62 in libc_start_main (/lib/i386-linux-gnu/i686/cmov/libc.so.6+0x19a62)

9 0x804afda (/usr/local/bin/exif+0x804afda)**

0xb1a0e3a2 is located 0 bytes to the right of 16802-byte region [0xb1a0a200,0xb1a0e3a2)
allocated by thread T0 here:
#0 0xb7255954 in realloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e954)
#1 0xb719f8bb in exif_mem_realloc_func /root/libexif-0.6.21/libexif/exif-mem.c:23

SUMMARY: AddressSanitizer: unknown-crash /root/libexif-0.6.21/libexif/exif-data.c:298 exif_data_save_data_entry
Shadow bytes around the buggy address:
0x363413f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36341400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36341410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36341420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36341430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36341440:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36341450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36341460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36341470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36341480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36341490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==2199==ABORTING

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/libexif/bugs/129/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Marcus Meissner]

same as bug 130
i applied this fix.

[Joaquim Espinhara]

cool! well done

[Joaquim Espinhara]

Hi Marcus/other. Since the bug was fixed, do you mind in close the ticket and change from private to public?