Bug 105204 (CVE-2018-7730) - heap-buffer-overflow in PSD_MetaHandler::CacheFileData() of exempi 2.4.4
Summary: heap-buffer-overflow in PSD_MetaHandler::CacheFileData() of exempi 2.4.4
Status: RESOLVED FIXED
Alias: CVE-2018-7730
Product: exempi
Classification: Unclassified
Component: Problems (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium critical
Assignee: Hubert Figuiere
QA Contact: Hubert Figuiere
URL:
Whiteboard: [release:2.4.5]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-22 09:43 UTC by Leon
Modified: 2018-03-08 03:25 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
POC file that crashing exempi in PSD_Handler.cpp:166 PSD_MetaHandler::CacheFileData() (19.22 KB, image/vnd.adobe.photoshop)
2018-02-22 09:43 UTC, Leon
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Leon 2018-02-22 09:43:47 UTC
Created attachment 137525 [details]
POC file that crashing exempi in PSD_Handler.cpp:166 PSD_MetaHandler::CacheFileData()

Description of problem:
The PSD_MetaHandler::CacheFileData() function at PSD_Handler.cpp:166 in exempi 2.4.4 may result a heap-buffer-overflow via a crafted xls file.

Version-Release number of selected component (if applicable):
2.4.4

Steps to Reproduce:
./exempi -x $POC

Additional info:
Ubuntu 16.04, x64
The output of exempi with address sanitizer enabled

/opt/asan/exempi/bin/exempi -x exempi-PSD_Handler-166-overflow 
processing file exempi-PSD_Handler-166-overflow
dump_xmp for file exempi-PSD_Handler-166-overflow
=================================================================
==1309==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7fe1f5513935 bp 0x7ffd3ea4a7d0 sp 0x7ffd3ea49f78
READ of size 4294967295 at 0x60200000efb1 thread T0
    #0 0x7fe1f5513934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x7fe1f4b864ee in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x11f4ee)
    #2 0x7fe1f4b8700a in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace(unsigned long, unsigned long, char const*, unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12000a)
    #3 0x51c98a in PSD_MetaHandler::CacheFileData() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PSD_Handler.cpp:166
    #4 0x491ad4 in DoOpenFile /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:908
    #5 0x49230e in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1011
    #6 0x488c27 in WXMPFiles_OpenFile_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:234
    #7 0x41dc70 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/opt/asan/exempi/bin/exempi+0x41dc70)
    #8 0x40b797 in xmp_files_open_new /root/exempi-2.4.4/exempi/exempi.cpp:280
    #9 0x4086f4 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:235
    #10 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #11 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #12 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #13 0x7fe1f419e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x4074d8 in _start (/opt/asan/exempi/bin/exempi+0x4074d8)

0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
    #0 0x7fe1f551f602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x521165 in PSIR_FileWriter::ParseFileResources(XMP_IO*, unsigned int) /root/exempi-2.4.4/XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp:359
    #2 0x51c7bf in PSD_MetaHandler::CacheFileData() /root/exempi-2.4.4/XMPFiles/source/FileHandlers/PSD_Handler.cpp:151
    #3 0x491ad4 in DoOpenFile /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:908
    #4 0x49230e in XMPFiles::OpenFile(char const*, unsigned int, unsigned int) /root/exempi-2.4.4/XMPFiles/source/XMPFiles.cpp:1011
    #5 0x488c27 in WXMPFiles_OpenFile_1 /root/exempi-2.4.4/XMPFiles/source/WXMPFiles.cpp:234
    #6 0x41dc70 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile(char const*, unsigned int, unsigned int) (/opt/asan/exempi/bin/exempi+0x41dc70)
    #7 0x40b797 in xmp_files_open_new /root/exempi-2.4.4/exempi/exempi.cpp:280
    #8 0x4086f4 in get_xmp_from_file /root/exempi-2.4.4/exempi/main.cpp:235
    #9 0x4088ed in dump_xmp /root/exempi-2.4.4/exempi/main.cpp:250
    #10 0x409573 in process_file /root/exempi-2.4.4/exempi/main.cpp:340
    #11 0x408151 in main /root/exempi-2.4.4/exempi/main.cpp:187
    #12 0x7fe1f419e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 02 fa fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==1309==ABORTING

Weiran Labs, Zhaoliang
leon.zhao.7@gmail.com
Comment 1 Hubert Figuiere 2018-02-25 18:37:48 UTC
Fixed in 6cbd34025e5fd3ba47b29b602096e456507ce83b

Thank you so much for the report.
Comment 2 Alan Coopersmith 2018-03-06 21:07:06 UTC
Mitre has assigned this CVE-2018-7730:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7730


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.