Several bugs in exiv2 0.27-rc3

[cool-tomato]

I have tested them in latest version 0.27-RC3.

1. ./exiv2 -pR pngimage-heap-bof-poc-1
2. ./exiv2 -Y 2011 -O 02 -D 29 adjust tiffimage_int-out-of-bound-read-poc-2.
3. ./exiv2 -M'set Xmp.dc.title lang="de-DE" Euros' jp2image-heap-bof-poc-3.
4. ./iptcprint abort-poc-4
5. ./exiv2 insert jp2image-infiniteloop-poc-5
   And, more info can be found at https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206.

[clanmills]

@cool-tomato Thanks for letting me know about this. They'll be investigated this week.

I'm curious about how you found them as I thought we had dealt with every reported POCs, fixed them and added them to our test suite. Are those new discoveries, or something we didn't fix?

[cool-tomato]

I have checked these bugs, and they are new discoveries. Actually, I forget how I found these poc files, they are from the accumulation of the past. I just tested them with several command line options, plus ASAN-compiled version, that's all.

[clanmills]

Thanks for the update. I'm looking at them now. I thought we were done with this - however we're not. Let me see what I can get done about this.

[clanmills]

I've submitted a fix for (2) tiffimage_int-out-of-bound-read-poc-2.dms

I had difficulty reproducing this. On MacOS-X I get (with/without the patch).

1017 rmills@rmillsmm:~/gnu/github/exiv2/exiv2/build $ bin/exiv2 -Y 2011 -O 02 -D 29 adjust ~/Downloads/pocs/tiffimage_int-out-of-bound-read-poc-2.dms 
/Users/rmills/Downloads/pocs/tiffimage_int-out-of-bound-read-poc-2.dms: Can't adjust timestamp by 2011 years
1018 rmills@rmillsmm:~/gnu/github/exiv2/exiv2/build $ 

On Ubuntu, without the fix, I get:

rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2/build$ bin/exiv2 -Y 2011 -O 02 -D 29 adjust ~/pocs/tiffimage_int-out-of-bound-read-poc-2.dms 
Error: Directory Image: Next pointer is out of bounds; ignored.
Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
Error: Directory Image: Next pointer is out of bounds; ignored.
Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
/home/rmills/gnu/github/exiv2/exiv2/src/tiffimage_int.cpp:1699:43: runtime error: member call on null pointer of type 'const struct Value'

With the fix, I get:

rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2/build$ bin/exiv2 -Y 2011 -O 02 -D 29 adjust ~/pocs/tiffimage_int-out-of-bound-read-poc-2.dms 
Error: Directory Image: Next pointer is out of bounds; ignored.
Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
Error: Directory Image: Next pointer is out of bounds; ignored.
Error: Directory Image, entry 0x00fe has invalid size 1358954497*4; skipping entry.
Error: Directory Image, entry 0x011b has invalid size 1107296257*8; skipping entry.
rmills@rmillsmm-ubuntu:~/gnu/github/exiv2/exiv2/build$ 

The fix is to "unroll" the pointers at the location of the crash.

diff --git a/src/tiffimage_int.cpp b/src/tiffimage_int.cpp
index 7cd6656d..83a76c07 100644
--- a/src/tiffimage_int.cpp
+++ b/src/tiffimage_int.cpp
@@ -1694,12 +1694,24 @@ namespace Exiv2 {
             TiffFinder finder(0x00fe, imageGroups[i]);
             pSourceDir->accept(finder);
             TiffEntryBase* te = dynamic_cast<TiffEntryBase*>(finder.result());
+#if 0
             if (   te
-                && te->pValue()->typeId() == unsignedLong
-                && te->pValue()->count() == 1
-                && (te->pValue()->toLong() & 1) == 0) {
+                   && te->pValue()->typeId() == unsignedLong
+                   && te->pValue()->count() == 1
+                   && (te->pValue()->toLong() & 1) == 0) {
                 primaryGroups.push_back(te->group());
             }
+#else
+            if (   te ) {
+                if (te->pValue()) {
+                    if (te->pValue()->typeId() == unsignedLong
+                        && te->pValue()->count() == 1
+                        && (te->pValue()->toLong() & 1) == 0) {
+                        primaryGroups.push_back(te->group());
+                    }
+                }
+            }
+#endif
         }
 
     } // TiffParserWorker::findPrimaryGroups
1019 rmills@rmillsmm:~/gnu/github/exiv2/exiv2/build $ 

[clanmills]

I've realised why I couldn't consistently reproduce this! When the fix is in place, the file is successfully modified. Running the command (even with defective code) on the modified file, the crash does not occur.

The fix is solid and working OK on MacOS-X/clang and Ubuntu 18.04/gcc.

[clanmills]

I've submitted fixes for the 3 JP2000 files in this issue report:

1210 rmills@rmillsmm:~/gnu/github/exiv2/exiv2/build $ file ~/Downloads/pocs/* | grep JPEG
/Users/rmills/Downloads/pocs/abort-poc-4.dms:                           JPEG 2000
/Users/rmills/Downloads/pocs/jp2image-heap-bof-poc-3.dms:               JPEG 2000 Part 1 (JP2)
/Users/rmills/Downloads/pocs/jp2image-infiniteloop-poc-5.dms:           JPEG 2000
1211 rmills@rmillsmm:~/gnu/github/exiv2/exiv2/build $ 

I know the fixes are effective on those particular files. I'm not familiar with the JPEG 2000 format and I'd like to study it more and look at both the fixes and the code generally to see if it can be improved.

I'd also like to add tests to our test suite respect those files.

I'm rather lost by the lack of structure in the names of the files. Here's what I believe we're dealing with:

761 rmills@rmillsmm:~/Downloads/pocs $ ls -ls *
  4 -rw-r--r--+ 1 rmills staff     84 Dec 11 19:46 abort-poc-4.dms
  4 -rw-r--r--+ 1 rmills staff    116 Dec 11 19:46 jp2image-heap-bof-poc-3.dms
  4 -rw-r--r--+ 1 rmills staff     84 Dec 11 19:46 jp2image-infiniteloop-poc-5.dms
  4 -rw-r--r--+ 1 rmills staff    218 Dec 11 19:46 pngimage-heap-bof-poc-1.dms
  4 -rw-r--r--+ 1 rmills staff     34 Dec 11 19:46 poc.dms
  4 -rw-r--r--+ 1 rmills staff    283 Dec 11 19:46 poc_infinite_loop.dms
192 -rw-r--r--+ 1 rmills staff 143444 Dec 11 19:42 tiffimage_int-out-of-bound-read-poc-2.dms
762 rmills@rmillsmm:~/Downloads/pocs $ sha256sum * | sort -k 2
8a855f7efc343c3ca23481aac5ad1997b7c8986fb37ceff9eb75a95e1b18dd2c  abort-poc-4.dms
00f147dc2fdce6fa6af84590a0ba774e5efe066fd53d5a78c1d6b57b27688f00  jp2image-heap-bof-poc-3.dms
afea4090c9b8640eae4ba5e3a906995149ed1cec10dfb004c3e6c06630a9ccef  jp2image-infiniteloop-poc-5.dms
ed44a3c35fbc031f0fbe33e5d5492923cdd980f078cda20a57c6f05c4bc79e7b  pngimage-heap-bof-poc-1.dms
24e203e9b93a7949f494899270a27f415c9875298a6a26d4474cfc483ad38ff3  poc.dms
2597398d9e96e4ed9946a1c2241bd866ec4fa1e561b5cd60e27c14751f0753ad  poc_infinite_loop.dms
ade99eebbaa9747c0213ffad9bda23a48dc6a7ece3719d037cc214efd92f3580  tiffimage_int-out-of-bound-read-poc-2.dms

I believe they are correctly copied to GitHub:

764 rmills@rmillsmm:~/Downloads/pocs $ cd ~/gnu/github/exiv2/foo/exiv2/test/data
765 rmills@rmillsmm:~/gnu/github/exiv2/foo/exiv2/test/data $ sha256sum poc.dms pngimage-heap-bof-poc-1.dms tiffimage_int-out-of-bound-read-poc-2.dms jp2image-heap-bof-poc-3.dms abort-poc-4.dms jp2image-infiniteloop-poc-5.dms | sort -k 2
8a855f7efc343c3ca23481aac5ad1997b7c8986fb37ceff9eb75a95e1b18dd2c  abort-poc-4.dms
00f147dc2fdce6fa6af84590a0ba774e5efe066fd53d5a78c1d6b57b27688f00  jp2image-heap-bof-poc-3.dms
afea4090c9b8640eae4ba5e3a906995149ed1cec10dfb004c3e6c06630a9ccef  jp2image-infiniteloop-poc-5.dms
ed44a3c35fbc031f0fbe33e5d5492923cdd980f078cda20a57c6f05c4bc79e7b  pngimage-heap-bof-poc-1.dms
24e203e9b93a7949f494899270a27f415c9875298a6a26d4474cfc483ad38ff3  poc.dms
4b4c9ca57858f9a1eb6ac61d6f5c57f566e602a7d55e14c5d31fd2ec0c3b3487  tiffimage_int-out-of-bound-read-poc-2.dms
766 rmills@rmillsmm:~/gnu/github/exiv2/foo/exiv2/test/data $ 

[clanmills]

My fix has disturbed the test harness for 188:

529 rmills@rmillsmm:~/gnu/github/exiv2/exiv2 $ build/bin/exiv2 test/data/poc_2017-12-12_issue188 
Exiv2 exception in print action for file test/data/poc_2017-12-12_issue188:
corrupted image metadata
530 rmills@rmillsmm:~/gnu/github/exiv2/exiv2 $ build/bin/exiv2 -pS test/data/poc_2017-12-12_issue188 
STRUCTURE OF JPEG2000 FILE: test/data/poc_2017-12-12_issue188
 address |   length | box       | data
       0 |       12 | jP        | 
      12 |       20 | jp2h      | 
Exiv2 exception in print action for file test/data/poc_2017-12-12_issue188:
corrupted image metadata
531 rmills@rmillsmm:~/gnu/github/exiv2/exiv2 $ 

Looking at the code in the test harness, we have:

# -*- coding: utf-8 -*-

import system_tests


class TestCvePoC(metaclass=system_tests.CaseMeta):

    url = "https://github.com/Exiv2/exiv2/issues/188"
    found_by = ["Wei You", "@youwei1988"]

    filename = "$data_path/poc_2017-12-12_issue188"
    commands = ["$exiv2 " + filename]
    stdout = [""]
    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
$addition_overflow_message
"""]
    retval = [1]

This is a JP2000 file. I've almost certainly detected the FUZZ earlier in the file parser before it arrives at the arithmetic overflow.

This reinforces my thoughts about studying both the JP2000 file format and the parser (and encoder) in jp2image.cpp and decide what's best.

[clanmills]

We will not accept these changes for v0.27. I hope to incorporate them into Exiv2 v0.27.1 which hasn't been defined, however will probably be released at the end of March 2019.

[piponazo]

I just went trough all the 5 cases and:

1. ./exiv2 -pR pngimage-heap-bof-poc-1
   a. The options -pR cannot be used anymore in release mode.

• ./exiv2 -Y 2011 -O 02 -D 29 adjust tiffimage_int-out-of-bound-read-poc-2.
  a. I just submitted a PR which is fixing this issue Fix access to null pointer in TiffParser #706.
• ./exiv2 -M'set Xmp.dc.title lang="de-DE" Euros' jp2image-heap-bof-poc-3.
  a. Not crashing anymore:

(conan) ✘-1 /media/linuxDev/programming/exiv2/buildRelease [0.27|✔] 
22:41 $ bin/exiv2 3\. -M'set Xmp.dc.title lang="de-DE" Euros' /media/linuxDev/exiv2/jp2image-heap-bof-poc-3 
3.: Failed to open the file
Exiv2 exception in print action for file -Mset Xmp.dc.title lang="de-DE" Euros:
Not a valid ICC Profile
/media/linuxDev/exiv2/jp2image-heap-bof-poc-3 File name       : /media/linuxDev/exiv2/jp2image-heap-bof-poc-3
/media/linuxDev/exiv2/jp2image-heap-bof-poc-3 File size       : 116 Bytes
/media/linuxDev/exiv2/jp2image-heap-bof-poc-3 MIME type       : image/jp2
/media/linuxDev/exiv2/jp2image-heap-bof-poc-3 Image size      : 198407 x 32
/media/linuxDev/exiv2/jp2image-heap-bof-poc-3: No Exif data found in the file

• ./iptcprint abort-poc-4
  a. Exiting with std::overflow_error intentionally.
• ./exiv2 insert jp2image-infiniteloop-poc-5
  And, more info can be found at https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206.
  a. Cannot reproduce the issue:

(conan) ✘-ABRT /media/linuxDev/programming/exiv2/buildRelease [0.27|✔] 
22:43 $ bin/exiv2 insert /media/linuxDev/exiv2/jp2image-infiniteloop-poc-5 
/media/linuxDev/exiv2/jp2image-infiniteloop-poc-5.exv: Failed to open the file

[piponazo]

Now that #706 was merged in 0.27, this issue can be closed. There is still #717 which will be merged into master.