Bug#947318: libexiv2-14: ExivGroup invalid memory access

To: submit@bugs.debian.org
Subject: Bug#947318: libexiv2-14: ExivGroup invalid memory access
From: Frank Eckelmann <f.eckelmann@gmx.de>
Date: Tue, 24 Dec 2019 15:58:07 +0100
Message-id: <[🔎] 9858942.YlnhF94N3T@frank-desktop>
Reply-to: Frank Eckelmann <f.eckelmann@gmx.de>, 947318@bugs.debian.org

Package: libexiv2-14
Version: 0.25-4
Severity: important
Tags: buster
Affects: gwenview

The attached (extracted) exif data dump can be used to crash (lib)exiv2 under
debian buster. This is causing crashes of gwenview or similar graphical image
viewers. But it can reproduced easier with the exiv command tool:

    $ valgrind exiv2 -pt dfa12848-c367-463f-8308-1508466631e1.exv
    ==18807== Memcheck, a memory error detector
    ==18807== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==18807== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
    ==18807== Command: exiv2 -pt dfa12848-c367-463f-8308-1508466631e1.exv
    ==18807==
    Exif.Image.ImageDescription                  Ascii       1
    Exif.Image.Make                              Ascii       1
    Exif.Image.Model                             Ascii       1
    Exif.Image.Software                          Ascii       1
    Exif.Image.DateTime                          Ascii       1
    Exif.Image.Artist                            Ascii       1
    Exif.Image.ExifTag                           Long        1  134
    Exif.Photo.ExifVersion                       Undefined   1  (0)
    Exif.Photo.DateTimeOriginal                  Ascii       1
    Exif.Photo.DateTimeDigitized                 Ascii       1
    Exif.Photo.ComponentsConfiguration           Undefined   1
    Exif.Photo.UserComment                       Undefined   1
    Exif.Photo.SubSecTime                        Ascii       1
    Exif.Photo.SubSecTimeOriginal                Ascii       1
    Exif.Photo.SubSecTimeDigitized               Ascii       1
    Exif.Photo.FlashpixVersion                   Undefined   1  (0)
    Exif.Photo.SceneType                         Undefined   1  (0)
    Exif.Photo.ImageUniqueID                     Ascii       1
    Exif.Image.GPSTag                            Long        1  272
    Exif.GPSInfo.GPSVersionID                    Byte        1  0
    Exif.GPSInfo.GPSLatitudeRef                  Ascii       1  ()
    Exif.GPSInfo.GPSLongitudeRef                 Ascii       1  ()
    Exif.GPSInfo.GPSAltitudeRef                  Byte        1  Above sea level
    Exif.GPSInfo.GPSProcessingMethod             Undefined   1  0
    Exif.GPSInfo.GPSDateStamp                    Ascii       1
    ==18807== Invalid read of size 1
    ==18807==    at 0x49C95BB: Exiv2::Internal::printUcs2(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) (tags.cpp:2324)
    ==18807==    by 0x498B26B: Exiv2::Metadatum::print[abi:cxx11](Exiv2::ExifData const*) const (metadatum.cpp:80)
    ==18807==    by 0x11DB7B: Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) (actions.cpp:711)
    ==18807==    by 0x11E00E: Action::Print::printMetadata(Exiv2::Image const*) (actions.cpp:536)
    ==18807==    by 0x11E2D7: Action::Print::printList() (actions.cpp:526)
    ==18807==    by 0x122CFF: Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (actions.cpp:241)
    ==18807==    by 0x10EA4C: main (exiv2.cpp:171)
    ==18807==  Address 0x54a5f7f is 1 bytes before a block of size 1 alloc'd
    ==18807==    at 0x483650F: operator new[](unsigned long) (vg_replace_malloc.c:423)
    ==18807==    by 0x49C95A1: DataBuf (types.hpp:194)
    ==18807==    by 0x49C95A1: Exiv2::Internal::printUcs2(std::ostream&, Exiv2::Value const&, Exiv2::ExifData const*) (tags.cpp:2321)
    ==18807==    by 0x498B26B: Exiv2::Metadatum::print[abi:cxx11](Exiv2::ExifData const*) const (metadatum.cpp:80)
    ==18807==    by 0x11DB7B: Action::Print::printMetadatum(Exiv2::Metadatum const&, Exiv2::Image const*) (actions.cpp:711)
    ==18807==    by 0x11E00E: Action::Print::printMetadata(Exiv2::Image const*) (actions.cpp:536)
    ==18807==    by 0x11E2D7: Action::Print::printList() (actions.cpp:526)
    ==18807==    by 0x122CFF: Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (actions.cpp:241)
    ==18807==    by 0x10EA4C: main (exiv2.cpp:171)
    ==18807==
    Exif.Image.XPTitle                           Byte        1  Uncaught exception: basic_string::_M_create
    ==18807==
    ==18807== HEAP SUMMARY:
    ==18807==     in use at exit: 1,452 bytes in 23 blocks
    ==18807==   total heap usage: 662 allocs, 639 frees, 130,284 bytes allocated
    ==18807==
    ==18807== LEAK SUMMARY:
    ==18807==    definitely lost: 0 bytes in 0 blocks
    ==18807==    indirectly lost: 0 bytes in 0 blocks
    ==18807==      possibly lost: 0 bytes in 0 blocks
    ==18807==    still reachable: 1,452 bytes in 23 blocks
    ==18807==         suppressed: 0 bytes in 0 blocks
    ==18807== Rerun with --leak-check=full to see details of leaked memory
    ==18807==
    ==18807== For counts of detected and suppressed errors, rerun with: -v
    ==18807== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Or when started without valgrind

   exiv2 -pt dfa12848-c367-463f-8308-1508466631e1.exv
   Exif.Image.ImageDescription                  Ascii       1
   Exif.Image.Make                              Ascii       1
   Exif.Image.Model                             Ascii       1
   Exif.Image.Software                          Ascii       1
   Exif.Image.DateTime                          Ascii       1
   Exif.Image.Artist                            Ascii       1
   Exif.Image.ExifTag                           Long        1  134
   Exif.Photo.ExifVersion                       Undefined   1  (0)
   Exif.Photo.DateTimeOriginal                  Ascii       1
   Exif.Photo.DateTimeDigitized                 Ascii       1
   Exif.Photo.ComponentsConfiguration           Undefined   1
   Exif.Photo.UserComment                       Undefined   1
   Exif.Photo.SubSecTime                        Ascii       1
   Exif.Photo.SubSecTimeOriginal                Ascii       1
   Exif.Photo.SubSecTimeDigitized               Ascii       1
   Exif.Photo.FlashpixVersion                   Undefined   1  (0)
   Exif.Photo.SceneType                         Undefined   1  (0)
   Exif.Photo.ImageUniqueID                     Ascii       1
   Exif.Image.GPSTag                            Long        1  272
   Exif.GPSInfo.GPSVersionID                    Byte        1  0
   Exif.GPSInfo.GPSLatitudeRef                  Ascii       1  ()
   Exif.GPSInfo.GPSLongitudeRef                 Ascii       1  ()
   Exif.GPSInfo.GPSAltitudeRef                  Byte        1  Above sea level
   Exif.GPSInfo.GPSProcessingMethod             Undefined   1  0
   Exif.GPSInfo.GPSDateStamp                    Ascii       1
   Exif.Image.XPTitle                           Byte        1  Uncaught exception: basic_string::_M_create

Attachment: dfa12848-c367-463f-8308-1508466631e1.exv
Description: Binary data

Reply to:

Prev by Date: pyside2_5.13.2-2.1_source.changes ACCEPTED into unstable
Next by Date: Processed: Bug#916076: kamoso: segmentation fault in GStreamer opening hamburger menu
Previous by thread: pyside2_5.13.2-2.1_source.changes ACCEPTED into unstable
Next by thread: Processed: tagging 916076
Index(es):
- Date
- Thread