Bug#779695: metacam: segmentation fault in tiffRATIONAL::normalize at rationals.cc:40

[Henri Salo]

Package: metacam
Version: 1.2-6
Severity: important
Tags: security

metacam crashes when using following example input file fuzzed with AFL
<http://lcamtuf.coredump.cx/afl/>.

5d4c287cf40b73d2a5aac8b4a7367564ce823937  afl-metacam-sample-001.jpg

Starting program: metacam afl-metacam-sample-001.jpg
File: afl-metacam-sample-001.jpg
WARNING: Unknown field type 0
WARNING: Unknown field type 0
  Standard Fields -----------------------------------

Program received signal SIGSEGV, Segmentation fault.
tiffRATIONAL::normalize (this=0x0) at rationals.cc:40
40          if ((num == 0) || (den == 0)) return *this;

(gdb) bt
#0  tiffRATIONAL::normalize (this=0x0) at rationals.cc:40
#1  0x0000000000421bf7 in dpyResolution (ctx=..., name=0x4584f7 "X Resolution", e=...) at dpyfuncs.cc:194
#2  0x000000000040ebe3 in displayTags (driver=driver at entry=0x661010, header=header at entry=0x4581e5 "Standard Fields", tag_map=..., known=<optimized out>, 
    verbose=0) at metacam.cc:86
#3  0x00000000004060bc in processFile (is=..., fname=<optimized out>, driver=0x661010) at metacam.cc:255
#4  main (argc=<optimized out>, argv=<optimized out>) at metacam.cc:359
#5  0x00007ffff72d1ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4e8) at libc-start.c:244
#6  0x000000000040c271 in _start ()

(gdb) list
35
36
37      tiffRATIONAL
38      tiffRATIONAL::normalize() const
39      {
40          if ((num == 0) || (den == 0)) return *this;
41          unsigned long d = Euclid(num, den);
42          return tiffRATIONAL(num/d, den/d);
43      }
44

-- 
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afl-metacam-sample-001.jpg
Type: image/jpeg
Size: 1273 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/98873f0c/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/98873f0c/attachment.sig>