Package: exifprobe Version: 2.0.1-3 Severity: important Tags: security Following attached sample file crashes exifprobe. Sample file is fuzzed with american fuzzy lop <http://lcamtuf.coredump.cx/afl/>.
00000000 ff d8 ff e0 00 12 4a 46 58 58 00 10 ff c7 00 08 |......JFXX......| 00000010 3e 46 58 58 00 f5 c6 31 |>FXX...1| 00000018 GNU gdb (GDB) 7.4.1-debian Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. (gdb) file exifprobe Reading symbols from exifprobe-2.0.1/exifprobe...done. (gdb) run -c sample.jpg Starting program: exifprobe-2.0.1/exifprobe -c sample.jpg File Name = sample.jpg File Type = JPEG File Size = 24 @000000000=0 : <JPEG_SOI> @0x0000002=2 : <JPEG_APP0> 0xffe0 length 18, 'JFXX' @0x000000b=11 : extension code 0x10 - JPEG thumbnail @0x000000c=12 : <JPEG_SOF_7> length 8, 62 bits/sample, components=245, width=22528, height=18008 @0x0000016=22 : <ChromaBlurRadius> INVALID JPEG TAG @0x0000015=21 : #### End of JPEG thumbnail data for APP0, length 10 #### @0x0000015=21 : </JPEG_APP0> @0x0000016=22 : <ChromaBlurRadius> INVALID JPEG TAG -0x0000017=23 : END OF FILE @000000000=0 : Start of JPEG (UNKNOWN JPEG compression) primary image [0x0] length 0 (APP0 JFXX) (CORRUPTED) (no image) @0x000000c=12 : Start of JPEG differential lossless Huffman reduced-resolution image [22528x18008] length 10 (NO SOI) -0x0000015=21 : End of JPEG reduced-resolution image data Number of images = 2 Images not found = 2 File Format = JPEG/APP0/JFXX *** glibc detected *** exifprobe-2.0.1/exifprobe: double free or corruption (!prev): 0x00000000007593a0 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x75be6)[0x7ffff7845be6] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7ffff784a98c] exifprobe-2.0.1/exifprobe[0x43affb] exifprobe-2.0.1/exifprobe[0x401e54] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7ffff77eeead] exifprobe-2.0.1/exifprobe[0x403289] ======= Memory map: ======== 00400000-00553000 r-xp 00000000 08:06 5767486 exifprobe-2.0.1/exifprobe 00752000-00754000 rw-p 00152000 08:06 5767486 exifprobe-2.0.1/exifprobe 00754000-0077a000 rw-p 00000000 00:00 0 [heap] 7ffff0000000-7ffff0021000 rw-p 00000000 00:00 0 7ffff0021000-7ffff4000000 ---p 00000000 00:00 0 7ffff75ba000-7ffff75cf000 r-xp 00000000 08:01 48883 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff75cf000-7ffff77cf000 ---p 00015000 08:01 48883 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff77cf000-7ffff77d0000 rw-p 00015000 08:01 48883 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff77d0000-7ffff7951000 r-xp 00000000 08:01 15673 /lib/x86_64-linux-gnu/libc-2.13.so 7ffff7951000-7ffff7b51000 ---p 00181000 08:01 15673 /lib/x86_64-linux-gnu/libc-2.13.so 7ffff7b51000-7ffff7b55000 r--p 00181000 08:01 15673 /lib/x86_64-linux-gnu/libc-2.13.so 7ffff7b55000-7ffff7b56000 rw-p 00185000 08:01 15673 /lib/x86_64-linux-gnu/libc-2.13.so 7ffff7b56000-7ffff7b5b000 rw-p 00000000 00:00 0 7ffff7b5b000-7ffff7bdc000 r-xp 00000000 08:01 10443 /lib/x86_64-linux-gnu/libm-2.13.so 7ffff7bdc000-7ffff7ddb000 ---p 00081000 08:01 10443 /lib/x86_64-linux-gnu/libm-2.13.so 7ffff7ddb000-7ffff7ddc000 r--p 00080000 08:01 10443 /lib/x86_64-linux-gnu/libm-2.13.so 7ffff7ddc000-7ffff7ddd000 rw-p 00081000 08:01 10443 /lib/x86_64-linux-gnu/libm-2.13.so 7ffff7ddd000-7ffff7dfd000 r-xp 00000000 08:01 37341 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7fd9000-7ffff7fdc000 rw-p 00000000 00:00 0 7ffff7ff7000-7ffff7ffb000 rw-p 00000000 00:00 0 7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 0001f000 08:01 37341 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7ffd000-7ffff7ffe000 rw-p 00020000 08:01 37341 /lib/x86_64-linux-gnu/ld-2.13.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt full #0 0x00007ffff7802165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 pid = <optimized out> selftid = <optimized out> #1 0x00007ffff78053e0 in *__GI_abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x7fffffffdf18, sa_sigaction = 0x7fffffffdf18}, sa_mask = {__val = {140737488346880, 140737488350391, 44, 140737346920731, 3, 140737488346890, 6, 140737346920735, 2, 140737488346878, 2, 140737346911721, 1, 140737346920731, 3, 140737488346884}}, sa_flags = 12, sa_restorer = 0x7ffff791e11f} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007ffff783c39b in __libc_message (do_abort=<optimized out>, fmt=<optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffe880, reg_save_area = 0x7fffffffe790}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe880, reg_save_area = 0x7fffffffe790}} fd = 8 on_2 = <optimized out> list = <optimized out> nlist = 0 cp = <optimized out> written = false #3 0x00007ffff7845be6 in malloc_printerr (action=3, str=0x7ffff7920270 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:6312 buf = "00000000007593a0" cp = 0x7ffff7915e40 "0123456789abcdefghijklmnopqrstuvwxyz" #4 0x00007ffff784a98c in *__GI___libc_free (mem=<optimized out>) at malloc.c:3738 ar_ptr = 0x7ffff7b56e40 p = 0x6 #5 0x000000000043affb in destroy_summary (summary_entry=0x7593a0) at process.c:1704 prev_entry = 0x759250 #6 0x0000000000401e54 in main (argc=<optimized out>, argv=0x7fffffffea70) at main.c:322 file = 0x7fffffffece7 "sample.jpg" name = <optimized out> inptr = 0x759010 status = 8 max_offset = <optimized out> ifd_offset = <optimized out> dumplength = <optimized out> header = <optimized out> summary_entry = 0x759250 filesize = 24 chpr = <optimized out> #7 0x00007ffff77eeead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffea48) at libc-start.c:244 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -3639622040855898393, 4207200, 140737488349776, 0, 0, 3639622040104343271, 3639640723441719015}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x53dc90, 0x7fffffffea58}, data = {prev = 0x0, cleanup = 0x0, canceltype = 5495952}}} not_first_call = <optimized out> #8 0x0000000000403289 in _start () No symbol table info available. -- Henri Salo
_______________________________________________ forensics-devel mailing list forensics-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel