Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in Photoshop::setIptcIrb #2179

Closed
kevinbackhouse opened this issue Mar 31, 2022 · 1 comment · Fixed by #2181 or #2194
Closed

Integer overflow in Photoshop::setIptcIrb #2179

kevinbackhouse opened this issue Mar 31, 2022 · 1 comment · Fixed by #2181 or #2194
Assignees
@kevinbackhouse
Labels
bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/

Comments

@kevinbackhouse
Copy link
Collaborator

Reported by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45302

There is an integer overflow here:

exiv2/src/jpgimage.cpp

Line 185 in 790fc46

while (0 == Photoshop::locateIptcIrb(pPsData + pos, sizePsData - pos, &record, &sizeHdr, &sizeIptc)) {

The problem is that there is no check that pos <= sizePsData, so the subtraction can overflow. This problem used to be a latent bug, masked by the use of the signed type long, but the recent switch to size_t has made it triggerable. This problem only exists on main. It does not affect any released versions of Exiv2.

poc: poc.tar.gz

To reproduce:

./bin/fuzz-read-print-write clusterfuzz-testcase-minimized-fuzz-read-print-write-4560990975426560

It doesn't actually cause a crash for me. OSS-Fuzz must be using different build settings to catch it. I had to set a breakpoint on Exiv2::Photoshop::setIptcIrb and step through the loop to see the overflow manually.
@kevinbackhouse kevinbackhouse added bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/ labels Mar 31, 2022
@kevinbackhouse kevinbackhouse self-assigned this Mar 31, 2022
piponazo added a commit that referenced this issue Mar 31, 2022
@piponazo
Fix integer overflow #2179
62e090a
@piponazo piponazo mentioned this issue Mar 31, 2022
Merged
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
c4b5a35
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
fe71e12
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
ccb1a26
@piponazo
Copy link
Collaborator

piponazo commented Apr 6, 2022
edited
Loading

piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
c8719cc
@piponazo piponazo mentioned this issue Apr 6, 2022
Merged
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
e54f5c9
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Merge pull request #2194 from Exiv2/027_fix2179
036af47 
[027] Fix integer overflow #2179
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Fix integer overflow #2179
e715243
piponazo added a commit that referenced this issue Apr 6, 2022
@piponazo
Merge pull request #2181 from Exiv2/main_issue2179
235bf52 
[main] Fix integer overflow #2179
@nehaljwani nehaljwani mentioned this issue Jan 16, 2023
Closed
antermin pushed a commit to antermin/exiv2 that referenced this issue Mar 16, 2023
@piponazo @antermin
Fix integer overflow Exiv2#2179
98e2568
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinbackhouse kevinbackhouse

Labels
bug OSS-Fuzz Bug reported by https://google.github.io/oss-fuzz/
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[main] Fix integer overflow #2179 Exiv2/exiv2
[027] Fix integer overflow #2179 Exiv2/exiv2
2 participants
@piponazo @kevinbackhouse