Bug#779697: metacam: SIGBUS, Bus error at dataifdentry.cc

Henri Salo henri at nerv.fi
Wed Mar 4 06:57:47 UTC 2015 

Package: metacam
Version: 1.2-6
Severity: important
Tags: security

metacam crashes when using following example input file fuzzed with AFL
<http://lcamtuf.coredump.cx/afl/>.

08cc3e8a67812d32d51c5aff70a10a77e4b73644  /home/fgeek/security/afl-samples/metacam/afl-metacam-sample-003.jpg

Starting program: metacam afl-metacam-sample-003.jpg
File: afl-metacam-sample-003.jpg
WARNING: Unknown field type 58624
WARNING: Unknown field type 0
WARNING: Unknown field type 8241
WARNING: Unknown field type 9361
  Standard Fields -----------------------------------

Program received signal SIGBUS, Bus error.
_DataIFDEntry::getSTRING (this=0x663380) at dataifdentry.cc:121
121         tmpbuf[value_count] = 0;

(gdb) bt
#0  _DataIFDEntry::getSTRING (this=0x663380) at dataifdentry.cc:121
#1  0x0000000000417b68 in getSTRING (this=<optimized out>) at metatiff.h:411
#2  dpyString (ctx=..., name=0x45870c "Model", e=...) at dpyfuncs.cc:46
#3  0x000000000040ebe3 in displayTags (driver=driver at entry=0x661010, header=header at entry=0x4581e5 "Standard Fields", tag_map=..., known=<optimized out>, verbose=0) at metacam.cc:86
#4  0x00000000004060bc in processFile (is=..., fname=<optimized out>, driver=0x661010) at metacam.cc:255
#5  main (argc=<optimized out>, argv=<optimized out>) at metacam.cc:359
#6  0x00007ffff72d1ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe4a8) at libc-start.c:244
#7  0x000000000040c271 in _start ()

(gdb) list
116         vector<string> v;
117         if (getRawType() != tASCII) {return v;}
118         char tmpbuf[1024];
119         source.seek(offset);
120         source.getData((unsigned char *)tmpbuf, value_count);
121         tmpbuf[value_count] = 0;
122         v.push_back(string(tmpbuf));
123         return v;
124     }
125

-- 
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afl-metacam-sample-003.jpg
Type: image/jpeg
Size: 1556 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/bd1ac031/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/bd1ac031/attachment.sig>

More information about the forensics-devel mailing list