[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779525: exifprobe: double free or corruption

Package: exifprobe
Version: 2.0.1-3
Severity: important
Tags: security

Following attached sample file crashes exifprobe. Sample file is fuzzed with
american fuzzy lop <http://lcamtuf.coredump.cx/afl/>.

00000000  ff d8 ff e0 00 12 4a 46  58 58 00 10 ff c7 00 08  |......JFXX......|
00000010  3e 46 58 58 00 f5 c6 31                           |>FXX...1|
00000018

GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
(gdb) file exifprobe
Reading symbols from exifprobe-2.0.1/exifprobe...done.
(gdb) run -c sample.jpg
Starting program: exifprobe-2.0.1/exifprobe -c sample.jpg
File Name = sample.jpg
File Type = JPEG
File Size = 24
@000000000=0       :  <JPEG_SOI>
@0x0000002=2       :    <JPEG_APP0> 0xffe0 length 18, 'JFXX'
@0x000000b=11      :       extension code 0x10 - JPEG thumbnail
@0x000000c=12      :        <JPEG_SOF_7> length 8, 62 bits/sample, components=245, width=22528, height=18008
@0x0000016=22      :        <ChromaBlurRadius> INVALID JPEG TAG
@0x0000015=21      :      #### End of JPEG thumbnail data for APP0, length 10 ####
@0x0000015=21      :    </JPEG_APP0>
@0x0000016=22      :    <ChromaBlurRadius> INVALID JPEG TAG
-0x0000017=23      :  END OF FILE
@000000000=0       :  Start of JPEG (UNKNOWN JPEG compression) primary image [0x0] length 0 (APP0 JFXX) (CORRUPTED) (no image)
@0x000000c=12      :  Start of JPEG differential lossless Huffman reduced-resolution image [22528x18008] length 10 (NO SOI)
-0x0000015=21      :    End of JPEG reduced-resolution image data
Number of images = 2
Images not found = 2
File Format = JPEG/APP0/JFXX
*** glibc detected *** exifprobe-2.0.1/exifprobe: double free or corruption (!prev): 0x00000000007593a0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x75be6)[0x7ffff7845be6]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7ffff784a98c]
exifprobe-2.0.1/exifprobe[0x43affb]
exifprobe-2.0.1/exifprobe[0x401e54]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff77eeead]
exifprobe-2.0.1/exifprobe[0x403289]
======= Memory map: ========
00400000-00553000 r-xp 00000000 08:06 5767486                            exifprobe-2.0.1/exifprobe
00752000-00754000 rw-p 00152000 08:06 5767486                            exifprobe-2.0.1/exifprobe
00754000-0077a000 rw-p 00000000 00:00 0                                  [heap]
7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 
7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 
7ffff75ba000-7ffff75cf000 r-xp 00000000 08:01 48883                      /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff75cf000-7ffff77cf000 ---p 00015000 08:01 48883                      /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff77cf000-7ffff77d0000 rw-p 00015000 08:01 48883                      /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff77d0000-7ffff7951000 r-xp 00000000 08:01 15673                      /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7951000-7ffff7b51000 ---p 00181000 08:01 15673                      /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b51000-7ffff7b55000 r--p 00181000 08:01 15673                      /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b55000-7ffff7b56000 rw-p 00185000 08:01 15673                      /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7b56000-7ffff7b5b000 rw-p 00000000 00:00 0 
7ffff7b5b000-7ffff7bdc000 r-xp 00000000 08:01 10443                      /lib/x86_64-linux-gnu/libm-2.13.so
7ffff7bdc000-7ffff7ddb000 ---p 00081000 08:01 10443                      /lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddb000-7ffff7ddc000 r--p 00080000 08:01 10443                      /lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddc000-7ffff7ddd000 rw-p 00081000 08:01 10443                      /lib/x86_64-linux-gnu/libm-2.13.so
7ffff7ddd000-7ffff7dfd000 r-xp 00000000 08:01 37341                      /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fd9000-7ffff7fdc000 rw-p 00000000 00:00 0 
7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0 
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 0001f000 08:01 37341                      /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7ffe000 rw-p 00020000 08:01 37341                      /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <optimized out>
        selftid = <optimized out>
#1  0x00007ffff78053e0 in *__GI_abort () at abort.c:92
        act = {__sigaction_handler = {sa_handler = 0x7fffffffdf18, sa_sigaction = 0x7fffffffdf18}, sa_mask = {__val = {140737488346880, 140737488350391, 44, 140737346920731, 3, 140737488346890, 6, 140737346920735, 2, 140737488346878, 2, 140737346911721, 1, 140737346920731, 3, 140737488346884}}, sa_flags = 12, 
          sa_restorer = 0x7ffff791e11f}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007ffff783c39b in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffe880, reg_save_area = 0x7fffffffe790}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe880, reg_save_area = 0x7fffffffe790}}
        fd = 8
        on_2 = <optimized out>
        list = <optimized out>
        nlist = 0
        cp = <optimized out>
        written = false
#3  0x00007ffff7845be6 in malloc_printerr (action=3, str=0x7ffff7920270 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:6312
        buf = "00000000007593a0"
        cp = 0x7ffff7915e40 "0123456789abcdefghijklmnopqrstuvwxyz"
#4  0x00007ffff784a98c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738
        ar_ptr = 0x7ffff7b56e40
        p = 0x6
#5  0x000000000043affb in destroy_summary (summary_entry=0x7593a0) at process.c:1704
        prev_entry = 0x759250
#6  0x0000000000401e54 in main (argc=<optimized out>, argv=0x7fffffffea70) at main.c:322
        file = 0x7fffffffece7 "sample.jpg"
        name = <optimized out>
        inptr = 0x759010
        status = 8
        max_offset = <optimized out>
        ifd_offset = <optimized out>
        dumplength = <optimized out>
        header = <optimized out>
        summary_entry = 0x759250
        filesize = 24
        chpr = <optimized out>
#7  0x00007ffff77eeead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffea48) at libc-start.c:244
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -3639622040855898393, 4207200, 140737488349776, 0, 0, 3639622040104343271, 3639640723441719015}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x53dc90, 0x7fffffffea58}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5495952}}}
        not_first_call = <optimized out>
#8  0x0000000000403289 in _start ()
No symbol table info available.

-- 
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.jpg
Type: image/jpeg
Size: 24 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150301/dc1937a7/attachment.jpg>
Reply to: