| Anonymous | Login | Signup for a new account | 2010-02-08 20:21 PST |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||
| 0000534 | [exiv2] exif | minor | always | 2007-12-14 08:55 | 2008-05-28 19:34 | ||
| Reporter | ahuggel | View Status | public | ||||
| Assigned To | ahuggel | ||||||
| Priority | normal | Resolution | fixed | ||||
| Status | closed | Product Version | |||||
| Summary | 0000534: Integer overflow when reading thumbnail | ||||||
| Description |
Mail from "Meder Kydyraliev" <meder@google.com>, 14-Dec-07: --- Test: [fuzz-118.jpg] IFD1's (thumbnail IFD) JpegIFOffset(0x0201) and JpegIFByteCount(0x0202) are set to values that overflow if added exiv2-0.16-pre1: - Test leads to an integer overflow in JpegThumbnail::setDataArea(): exif.cpp: ... 308 if (len < offset + size) return 2; 309 format->setDataArea(buf + offset, size); ... value.hpp: 1600 template<typename T> 1601 inline int ValueType<T>::setDataArea(const byte* buf, long len) 1602 { 1603 byte* tmp = 0; 1604 if (len > 0) { 1605 tmp = new byte[len]; 1606 std::memcpy(tmp, buf, len); 1607 } It seems like TiffThumbnail::setDataArea() might also have this problem. Please credit "Meder Kydyraliev, Google Security Team" in any advisories relating to these issues. |
||||||
| Additional Information | |||||||
| Tags | No tags attached. | ||||||
| Attached Files |
 fuzz-118.jpg [^] (44,547 bytes) 2007-12-14 09:01 |
||||||
|
|
|||||||
 Relationships |
|
| There are no notes attached to this issue. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2007-12-14 08:55 | ahuggel | New Issue | |
| 2007-12-14 08:57 | ahuggel | Description Updated | |
| 2007-12-14 08:58 | ahuggel | File Added: fuzz-60.jpg | |
| 2007-12-14 08:59 | ahuggel | File Added: fuzz-63.jpg | |
| 2007-12-14 08:59 | ahuggel | File Added: fuzz-66.jpg | |
| 2007-12-14 09:00 | ahuggel | File Added: fuzz-96.jpg | |
| 2007-12-14 09:01 | ahuggel | File Added: fuzz-118.jpg | |
| 2007-12-14 09:01 | ahuggel | Status | new => assigned |
| 2007-12-14 09:01 | ahuggel | Assigned To | => ahuggel |
| 2007-12-14 09:04 | ahuggel | Status | assigned => resolved |
| 2007-12-14 09:04 | ahuggel | Resolution | open => fixed |
| 2007-12-14 22:41 | ahuggel | View Status | public => private |
| 2007-12-14 22:41 | ahuggel | Summary | Multiple EXIF parsing tools vulnerabilities => Integer overflow when reading thumbnail |
| 2007-12-14 22:41 | ahuggel | Description Updated | |
| 2007-12-14 22:41 | ahuggel | File Deleted: fuzz-60.jpg | |
| 2007-12-14 22:42 | ahuggel | File Deleted: fuzz-63.jpg | |
| 2007-12-14 22:42 | ahuggel | File Deleted: fuzz-66.jpg | |
| 2007-12-14 22:42 | ahuggel | File Deleted: fuzz-96.jpg | |
| 2008-01-09 07:12 | ahuggel | Fixed in Version | => 0.16 |
| 2008-01-09 07:13 | ahuggel | View Status | private => public |
| 2008-05-28 19:34 | ahuggel | Status | resolved => closed |
| Mantis 1.1.6[^] Copyright © 2000 - 2008 Mantis Group |  |
