Package: metacam Version: 1.2-6 Severity: important Tags: security metacam crashes when using following example input file fuzzed with AFL <http://lcamtuf.coredump.cx/afl/>.
08cc3e8a67812d32d51c5aff70a10a77e4b73644
/home/fgeek/security/afl-samples/metacam/afl-metacam-sample-003.jpg
Starting program: metacam afl-metacam-sample-003.jpg
File: afl-metacam-sample-003.jpg
WARNING: Unknown field type 58624
WARNING: Unknown field type 0
WARNING: Unknown field type 8241
WARNING: Unknown field type 9361
Standard Fields -----------------------------------
Program received signal SIGBUS, Bus error.
_DataIFDEntry::getSTRING (this=0x663380) at dataifdentry.cc:121
121 tmpbuf[value_count] = 0;
(gdb) bt
#0 _DataIFDEntry::getSTRING (this=0x663380) at dataifdentry.cc:121
#1 0x0000000000417b68 in getSTRING (this=<optimized out>) at metatiff.h:411
#2 dpyString (ctx=..., name=0x45870c "Model", e=...) at dpyfuncs.cc:46
#3 0x000000000040ebe3 in displayTags (driver=driver@entry=0x661010,
header=header@entry=0x4581e5 "Standard Fields", tag_map=..., known=<optimized
out>, verbose=0) at metacam.cc:86
#4 0x00000000004060bc in processFile (is=..., fname=<optimized out>,
driver=0x661010) at metacam.cc:255
#5 main (argc=<optimized out>, argv=<optimized out>) at metacam.cc:359
#6 0x00007ffff72d1ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe4a8) at libc-start.c:244
#7 0x000000000040c271 in _start ()
(gdb) list
116 vector<string> v;
117 if (getRawType() != tASCII) {return v;}
118 char tmpbuf[1024];
119 source.seek(offset);
120 source.getData((unsigned char *)tmpbuf, value_count);
121 tmpbuf[value_count] = 0;
122 v.push_back(string(tmpbuf));
123 return v;
124 }
125
--
Henri Salo
signature.asc
Description: Digital signature
