#70 Serious security bug in exif_data_load_data_entry()

closed-fixed
libexif (62)
7
2007-05-10
2007-05-09
No

Hi,

I wrote a fuzzer program and try it on all programs. I found a serious bug in your libexif library!

At libexif/exif-data.c line 186, function exif_data_load_data_entry():

/* Sanity check */
if (size < doff + s)
return;

entry->data = exif_data_alloc (data, s);
if (entry->data) {
entry->size = s;
memcpy (entry->data, d + doff, s);
}

Your code looks valid but looks try with:
s=296
doff=4294901874
s=65535

doff+s is 4294967409 and 4294967409 is smaller than s. Ok but we are in C world and C language use modulo 2^32 (2^sizeof(int)) and so: doff+s is 113 !

I don't know how to detect overflow but I wrote these other tests:
if (size < s)
return;
if (size < doff)
return;

A better idea would be to check s and doff value since doff bigger than file size and/or bigger than 2^31 looks to be an invalid value.

Victor

Discussion

  • STINNER Victor

    STINNER Victor - 2007-05-09

    File to crash libexif

     
  • STINNER Victor

    STINNER Victor - 2007-05-09

    Logged In: YES
    user_id=365388
    Originator: YES

    File Added: crash_libexif.jpg

     
  • Hans Ulrich Niedermann

    • priority: 5 --> 7
    • assigned_to: nobody --> hun
    • status: open --> closed-fixed
     
  • Hans Ulrich Niedermann

    Logged In: YES
    user_id=59853
    Originator: NO

    The easy fix is to catch the integer overflow with a (doff+s < doff || doff+s < s) check. This fix is in CVS and today's 0.6.14 security fix release.

    It would be even better to compare s and doff to size and layout of the EXIF file, but that would need non-trivial changes and additions to the code to keep track of and pass around the legal file offset ranges.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks