Bug 105247 (CVE-2018-7731)

Summary: NULL pointer dereference in WEBP::VP8XChunk::VP8XChunk() of exempi 2.4.4
Product: exempi Reporter: Leon <leon.zhao.7>
Component: ProblemsAssignee: Hubert Figuiere <hub>
Status: RESOLVED FIXED QA Contact: Hubert Figuiere <hub>
Severity: critical    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard: [release:2.4.5]
i915 platform: i915 features:
Attachments: POC file that crashing exempi in WEBP_Support.cpp:123 WEBP::VP8XChunk::VP8XChunk()

Description Leon 2018-02-26 06:27:30 UTC 
Created attachment 137601 [details]
POC file that crashing exempi in WEBP_Support.cpp:123 WEBP::VP8XChunk::VP8XChunk()

Description of problem:
The WEBP::VP8XChunk::VP8XChunk() function at WEBP_Support.cpp:123 in exempi 2.4.4 may result DoS(crash) via a crafted file.

Version-Release number of selected component (if applicable):
2.4.4

Steps to Reproduce:
./exempi -x $POC

Additional info:
Ubuntu 16.04, x64
The output of exempi with address sanitizer enabled

/opt/asan/exempi/bin/exempi -x exempi-WEBP_Support-123-SEGV 
processing file exempi-WEBP_Support-123-SEGV
dump_xmp for file exempi-WEBP_Support-123-SEGV
ASAN:SIGSEGV
=================================================================
==7132==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000007 (pc 0x0000005caa55 bp 0x7ffc6a6742b0 sp 0x7ffc6a674270 T0)
    #0 0x5caa54 in WEBP::VP8XChunk::VP8XChunk(WEBP::Container*) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/WEBP_Support.cpp:123
    #1 0x5cb1a6 in WEBP::Container::Container(WEBP_MetaHandler*) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/WEBP_Support.cpp:201
    #2 0x5c5fbf in WEBP_MetaHandler::CacheFileData() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/WEBP_Handler.cpp:89
    #3 0x491ad4 in DoOpenFile /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:908
    #4 0x49230e in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1011
    #5 0x488c27 in WXMPFiles_OpenFile_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:234
    #6 0x41dc70 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/opt/asan/exempi/bin/exempi+0x41dc70)
    #7 0x40b797 in xmp_files_open_new /root/exempi-2.4.4/exempi/exempi.cpp:280
    #8 0x4086f4 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:235
    #9 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #10 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #11 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #12 0x7f9265c1282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4074d8 in _start (/opt/asan/exempi/bin/exempi+0x4074d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/exempi-2.4.4/XMPFiles/source/FormatSupport/WEBP_Support.cpp:123 WEBP::VP8XChunk::VP8XChunk(WEBP::Container*)
==7132==ABORTING

Weiran Labs, Zhaoliang
leon.zhao.7@gmail.com
Comment 1 Hubert Figuiere 2018-02-26 06:53:09 UTC 
Fixed in aabedb5e749dd59112a3fe1e8e08f2d934f56666

Thank you so much for the report.
Comment 2 Alan Coopersmith 2018-03-06 21:01:34 UTC 
Mitre has assigned this CVE-2018-7731:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7731

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.