Bug 105205 (CVE-2018-7728)

Summary: heap-buffer-overflow in MD5Update() of exempi 2.4.4
Product: exempi Reporter: Leon <leon.zhao.7>
Component: ProblemsAssignee: Hubert Figuiere <hub>
Status: RESOLVED FIXED QA Contact: Hubert Figuiere <hub>
Severity: critical    
Priority: medium CC: alan.coopersmith
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: POC file that crashing FreeXL in third-party/zuid/interfaces/MD5.cpp:152 MD5Update()

Description Leon 2018-02-22 09:52:11 UTC 
Created attachment 137526 [details]
POC file that crashing FreeXL in third-party/zuid/interfaces/MD5.cpp:152 MD5Update()

Description of problem:
The MD5Update() function at third-party/zuid/interfaces/MD5.cpp:152 in exempi 2.4.4 may result a heap-buffer-overflow via a crafted file.

Version-Release number of selected component (if applicable):
2.4.4

Steps to Reproduce:
./exempi -x $POC

Additional info:
Ubuntu 16.04, x64
The output of exempi with address sanitizer enabled

/opt/asan/exempi/bin/exempi -x exempi-MD5-152-overflow 
processing file exempi-MD5-152-overflow
dump_xmp for file exempi-MD5-152-overflow
=================================================================
==26033==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000af70 at pc 0x7f87561fa935 bp 0x7ffe9a35e360 sp 0x7ffe9a35db08
READ of size 64 at 0x60700000af70 thread T0
    #0 0x7f87561fa934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x49844c in MD5Update(MD5_CTX*, unsigned char*, unsigned int) /root/exempi-2.4.4/third-party/zuid/interfaces/MD5.cpp:152
    #2 0x56a4d3 in ComputeIPTCDigest /root/exempi-2.4.4/XMPFiles/source/FormatSupport/ReconcileIPTC.cpp:70
    #3 0x56a61a in PhotoDataUtils::CheckIPTCDigest(void const*, unsigned int, void const*) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/ReconcileIPTC.cpp:82
    #4 0x5ac638 in TIFF_MetaHandler::ProcessXMP() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/TIFF_Handler.cpp:244
    #5 0x493e95 in XMPFiles::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, char const**, unsigned int*, XMP_PacketInfo*) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1303
    #6 0x48a2da in WXMPFiles_GetXMP_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:332
    #7 0x41e50f in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::GetXMP(TXMPMeta<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, XMP_PacketInfo*) (/opt/asan/exempi/bin/exempi+0x41e50f)
    #8 0x40bb0f in xmp_files_get_new_xmp /root/exempi-2.4.4/exempi/exempi.cpp:329
    #9 0x408730 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:237
    #10 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #11 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #12 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #13 0x7f8754e8582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x4074d8 in _start (/opt/asan/exempi/bin/exempi+0x4074d8)

0x60700000af70 is located 0 bytes to the right of 80-byte region [0x60700000af20,0x60700000af70)
allocated by thread T0 here:
    #0 0x7f8756207532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x5aab06 in __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x5aaa7c in std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >&, unsigned long) (/opt/asan/exempi/bin/exempi+0x5aaa7c)
    #3 0x5aa886 in std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_M_get_node() (/opt/asan/exempi/bin/exempi+0x5aa886)
    #4 0x5aa7cb in std::_Rb_tree_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >* std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_M_create_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&>(std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&) /usr/include/c++/5/bits/stl_tree.h:545
    #5 0x5aa535 in std::_Rb_tree_node<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >* std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_Alloc_node::operator()<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&>(std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&) const /usr/include/c++/5/bits/stl_tree.h:459
    #6 0x5a9de7 in std::_Rb_tree_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_M_insert_<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&, std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&, std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_Alloc_node&) /usr/include/c++/5/bits/stl_tree.h:1509
    #7 0x5a8b13 in std::_Rb_tree_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_M_insert_unique_<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&, std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_Alloc_node>(std::_Rb_tree_const_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&, std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_Alloc_node&) /usr/include/c++/5/bits/stl_tree.h:1978
    #8 0x5a7837 in std::_Rb_tree_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > std::_Rb_tree<unsigned short, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>, std::_Select1st<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::_M_insert_unique_<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&>(std::_Rb_tree_const_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&) /usr/include/c++/5/bits/stl_tree.h:938
    #9 0x5a6ba7 in std::_Rb_tree_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > std::map<unsigned short, TIFF_FileWriter::InternalTagInfo, std::less<unsigned short>, std::allocator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> > >::insert<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&, void>(std::_Rb_tree_const_iterator<std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo> >, std::pair<unsigned short const, TIFF_FileWriter::InternalTagInfo>&) (/opt/asan/exempi/bin/exempi+0x5a6ba7)
    #10 0x59e0dc in TIFF_FileWriter::ProcessFileIFD(unsigned char, unsigned int, XMP_IO*) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/TIFF_FileWriter.cpp:890
    #11 0x59d11a in TIFF_FileWriter::ParseFileStream(XMP_IO*) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/TIFF_FileWriter.cpp:770
    #12 0x5aba00 in TIFF_MetaHandler::CacheFileData() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/TIFF_Handler.cpp:130
    #13 0x491ad4 in DoOpenFile /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:908
    #14 0x49230e in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1011
    #15 0x488c27 in WXMPFiles_OpenFile_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:234
    #16 0x41dc70 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/opt/asan/exempi/bin/exempi+0x41dc70)
    #17 0x40b797 in xmp_files_open_new /root/exempi-2.4.4/exempi/exempi.cpp:280
    #18 0x4086f4 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:235
    #19 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #20 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #21 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #22 0x7f8754e8582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0e7fff9590: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff95a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff95b0: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff95c0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff95d0: 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 00 00
=>0x0c0e7fff95e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0c0e7fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff9600: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fff9610: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0e7fff9620: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff9630: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26033==ABORTING

Weiran Labs, Zhaoliang
leon.zhao.7@gmail.com
Comment 1 Hubert Figuiere 2018-02-25 19:02:44 UTC 
Fixed in e163667a06a9b656a047b0ec660b871f29a83c9f

Thank you so much for the report.
Comment 2 Alan Coopersmith 2018-03-06 21:08:32 UTC 
Mitre has assigned this CVE-2018-7728:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7728

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.