Package: metacam Version: 1.2-6 Severity: important Tags: security metacam crashes when using following example input file fuzzed with AFL <http://lcamtuf.coredump.cx/afl/>.
5d4c287cf40b73d2a5aac8b4a7367564ce823937 afl-metacam-sample-001.jpg
Starting program: metacam afl-metacam-sample-001.jpg
File: afl-metacam-sample-001.jpg
WARNING: Unknown field type 0
WARNING: Unknown field type 0
Standard Fields -----------------------------------
Program received signal SIGSEGV, Segmentation fault.
tiffRATIONAL::normalize (this=0x0) at rationals.cc:40
40 if ((num == 0) || (den == 0)) return *this;
(gdb) bt
#0 tiffRATIONAL::normalize (this=0x0) at rationals.cc:40
#1 0x0000000000421bf7 in dpyResolution (ctx=..., name=0x4584f7 "X Resolution",
e=...) at dpyfuncs.cc:194
#2 0x000000000040ebe3 in displayTags (driver=driver@entry=0x661010,
header=header@entry=0x4581e5 "Standard Fields", tag_map=..., known=<optimized
out>,
verbose=0) at metacam.cc:86
#3 0x00000000004060bc in processFile (is=..., fname=<optimized out>,
driver=0x661010) at metacam.cc:255
#4 main (argc=<optimized out>, argv=<optimized out>) at metacam.cc:359
#5 0x00007ffff72d1ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4e8)
at libc-start.c:244
#6 0x000000000040c271 in _start ()
(gdb) list
35
36
37 tiffRATIONAL
38 tiffRATIONAL::normalize() const
39 {
40 if ((num == 0) || (den == 0)) return *this;
41 unsigned long d = Euclid(num, den);
42 return tiffRATIONAL(num/d, den/d);
43 }
44
--
Henri Salo
signature.asc
Description: Digital signature
_______________________________________________ forensics-devel mailing list forensics-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
