I can reproduce the problem now.
Thanks
Le 07/08/2020 à 18:48, Anshunkang Zhou a écrit :
Hi, here is the steps to reproduce this bug, you should unzip the attached file
and run it:
```
seviezhou@ubuntu:~$ git clone https://salsa.debian.org/debian/jhead.git
Cloning into 'jhead'...
remote: Enumerating objects: 814, done.
remote: Counting objects: 100% (814/814), done.
remote: Compressing objects: 100% (311/311), done.
remote: Total 814 (delta 436), reused 755 (delta 392), pack-reused 0
Receiving objects: 100% (814/814), 179.29 KiB | 283.00 KiB/s, done.
Resolving deltas: 100% (436/436), done.
Checking connectivity... done.
seviezhou@ubuntu:~$ cd jhead/
seviezhou@ubuntu:~/jhead$ CC="gcc -g -fsanitize=address" make -j
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c jhead.c -o jhead.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c jpgfile.c -o
jpgfile.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c jpgqguess.c -o
jpgqguess.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c paths.c -o paths.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c exif.c -o exif.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c iptc.c -o iptc.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c gpsinfo.c -o
gpsinfo.o
gcc -g -fsanitize=address -g -O2 -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -c makernote.c -o
makernote.o
gcc -g -fsanitize=address -Wl,-Bsymbolic-functions -Wl,-z,relro -o jhead
./jhead.o ./jpgfile.o ./jpgqguess.o ./paths.o ./exif.o ./iptc.o ./gpsinfo.o
./makernote.o -lm
./jhead.o: In function `DoCommand':
/home/seviezhou/jhead/jhead.c:379: warning: the use of `mktemp' is dangerous,
better use `mkstemp' or `mkdtemp'
seviezhou@ubuntu:~/jhead$ ./jhead -ft -exifmap -de -purejpg -di -dx
./SEGV-Get32s-exif-333
Map: 00008-00158: Directory
Map: 00158-00167: Data for tag 010f
Map: 00168-00184: Data for tag 0110
Map: 00184-00192: Data for tag 011a
Map: 00192-00200: Data for tag 011b
Nonfatal Error : './SEGV-Get32s-exif-333' Too many components -65535 for tag
0002 in Exif
Map: 00200-00211: Data for tag 0131
Map: 00212-00232: Data for tag 0132
Map: 00232-00237: Data for tag 8298
Map: 00266-00704: Directory
Map: 00704-00712: Data for tag 829a
Map: 00712-00720: Data for tag 829d
Nonfatal Error : './SEGV-Get32s-exif-333' Inappropriate format (3) for Exif GPS
coordinates!
Nonfatal Error : './SEGV-Get32s-exif-333' Inappropriate format (3) for Exif GPS
coordinates!
ASAN:SIGSEGV
=================================================================
==77365==ERROR: AddressSanitizer: SEGV on unknown address 0x61a00003f28c (pc
0x00000040a901 bp 0x000000000000 sp 0x7ffeadf0f830 T0)
#0 0x40a900 in Get32s /home/seviezhou/jhead/exif.c:333
#1 0x410d94 in ProcessGpsInfo /home/seviezhou/jhead/gpsinfo.c:138
#2 0x40d282 in ProcessExifDir /home/seviezhou/jhead/exif.c:866
#3 0x40d209 in ProcessExifDir /home/seviezhou/jhead/exif.c:852
#4 0x40d947 in process_EXIF /home/seviezhou/jhead/exif.c:1041
#5 0x407fbf in ReadJpegSections /home/seviezhou/jhead/jpgfile.c:287
#6 0x408210 in ReadJpegFile /home/seviezhou/jhead/jpgfile.c:379
#7 0x404e66 in ProcessFile /home/seviezhou/jhead/jhead.c:905
#8 0x4025d5 in main /home/seviezhou/jhead/jhead.c:1756
#9 0x7f8d56c7c83f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#10 0x403b08 in _start (/home/seviezhou/jhead/jhead+0x403b08)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/jhead/exif.c:333 Get32s
==77365==ABORTING
```
On 08/8/2020 00:33,Ludovic Rousseau<[email protected]>
<mailto:[email protected]> wrote:
Hello,
I can't reproduce the crash.
I tried with the normal binary and also a new build using your arguments.
I get a lot of "Nonfatal Error : 'SEGV-Get32s-exif-333' Illegal number format
1024 for tag 0000 in Exif"
but NO crash.
How can I reproduce the problem?
Bye
Le 06/08/2020 à 05:14, Anshunkang Zhou a écrit :
Package: jhead
Version: 1:3.04-2
Severity: important
Dear Maintainer,
I found a segmentation fault in the latest version of jhead, detailed
information is as follows, the poc is in the mail attachment.
## System info
Ubuntu x86_64, gcc , jhead (latest 1:3.04-2)
## Configure
CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" make
## Command line
./jhead -ft -exifmap -de -purejpg -di -dx @@
## Output
```
Segmentation fault
```
## AddressSanitizer output
```
ASAN:SIGSEGV
=================================================================
==17939==ERROR: AddressSanitizer: SEGV on unknown address
0x61a00003f28c (pc 0x00000041a7f0 bp 0x000000000000 sp 0x7ffc54eee3a0
T0)
#0 0x41a7ef in Get32s /home/seviezhou/jhead/exif.c:333
#1 0x42c908 in ProcessGpsInfo /home/seviezhou/jhead/gpsinfo.c:138
#2 0x42411f in ProcessExifDir /home/seviezhou/jhead/exif.c:866
#3 0x423e0e in ProcessExifDir /home/seviezhou/jhead/exif.c:852
#4 0x4255e1 in process_EXIF /home/seviezhou/jhead/exif.c:1041
#5 0x4103ad in ReadJpegSections /home/seviezhou/jhead/jpgfile.c:287
#6 0x4117ce in ReadJpegSections /home/seviezhou/jhead/jpgfile.c:126
#7 0x4117ce in ReadJpegFile /home/seviezhou/jhead/jpgfile.c:379
#8 0x408e4e in ProcessFile /home/seviezhou/jhead/jhead.c:905
#9 0x402e40 in main /home/seviezhou/jhead/jhead.c:1756
#10 0x7ffacc7e783f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#11 0x406c88 in _start (/home/seviezhou/jhead/jhead+0x406c88)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/jhead/exif.c:333 Get32s
==17939==ABORTING
```
--
Dr. Ludovic Rousseau
--
Dr. Ludovic Rousseau
