Public Pastes
daily pastebin goal
23%
SHARE
TWEET

Untitled

a guest Jun 30th, 2017 111 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.      * Sign in
  2.      * Register
  3.      * Home
  4.      * Projects
  5.      * Help
  6.    Search: _____________________
  7.  
  8.                                      Exiv2
  9.  
  10.      * Overview
  11.      * Activity
  12.      * Roadmap
  13.      * Issues
  14.      * News
  15.      * Wiki
  16.      * Forums
  17.      * Repository
  18.  
  19.   Issues
  20.  
  21.    View all issues
  22.    Summary
  23.  
  24. Bug #1248
  25.  
  26.   floating point exception / crash on malformed input
  27.  
  28.    Added by Hanno Böck 8 months ago. Updated 8 months ago.
  29.  
  30.    Status:         Closed      Start date:     21 Oct 2016
  31.    Priority:       Normal      Due date:      
  32.    Assignee:       Robin Mills % Done:                    
  33.                                                100%        
  34.    Category:       not-a-bug   Estimated time: 5.00 hours  
  35.    Target version: 0.26        
  36.  
  37.      ----------------------------------------------------------------------
  38.  
  39.    Description
  40.  
  41.    The attached file will cause a floating point exception with "exiv2
  42.    print".
  43.  
  44.    Here's a stack trace:
  45.    18792ERROR: AddressSanitizer: FPE on unknown address 0x7f50fa97325b (pc
  46.    0x7f50fa97325b bp 0x7ffdcda38c80 sp 0x7ffdcda38b90 T0)
  47.    #0 0x7f50fa97325a in Exiv2::ValueType<std::pair<int, int> >::toLong(long)
  48.    const /f/exiv2/trunk/include/exiv2/value.hpp:1666:32
  49.    #1 0x7f50fab94125 in std::ostream& Exiv2::Internal::printTag<27,
  50.    Exiv2::Internal::exifFlash>(std::ostream&, Exiv2::Value const&,
  51.    Exiv2::ExifData const*) /f/exiv2/trunk/src/tags_int.hpp:229:44
  52.    #2 0x7f50fa94d256 in Exiv2::Exifdatum::write(std::ostream&,
  53.    Exiv2::ExifData const*) const /f/exiv2/trunk/src/exif.cpp:230:16
  54.    #3 0x55fdcd in Action::Print::printTag(Exiv2::ExifData const&, std::string
  55.    const&, std::string const&) const /f/exiv2/trunk/src/actions.cpp:497:13
  56.    #4 0x5485a2 in Action::Print::printSummary()
  57.    /f/exiv2/trunk/src/actions.cpp:360:13
  58.    #5 0x544a58 in Action::Print::run(std::string const&)
  59.    /f/exiv2/trunk/src/actions.cpp:244:44
  60.    #6 0x4fe07f in main /f/exiv2/trunk/src/exiv2.cpp:170:19
  61.    #7 0x7f50f920378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
  62.    #8 0x421eb8 in _start (/r/exiv2/exiv2+0x421eb8)
  63.  
  64.    AddressSanitizer can not provide additional info.
  65.    SUMMARY: AddressSanitizer: FPE
  66.    /f/exiv2/trunk/include/exiv2/value.hpp:1666:32 in
  67.    Exiv2::ValueType<std::pair<int, int> >::toLong(long) const
  68.    18792ABORTING
  69.  
  70.    exiv2-fpe-printTag.jpg (65 Bytes) Hanno Böck, 21 Oct 2016 21:17
  71.  
  72.    exiv2-fpe-print0x9207-printTag.jpg - fpe in printTag / print0x9207 (65
  73.    Bytes) Hanno Böck, 22 Oct 2016 20:52
  74.  
  75.    heapoverflow-printIFDStructure-382.jpg -
  76.    heapoverflow-printIFDStructure-382.jpg (220 Bytes) Hanno Böck, 22 Oct 2016
  77.    21:01
  78.  
  79.    heapoverflow-byteSwap4-printIFDStructure-429.jpg -
  80.    heapoverflow-byteSwap4-printIFDStructure-429.jpg (18 Bytes) Hanno Böck, 22
  81.    Oct 2016 21:01
  82.  
  83.      ----------------------------------------------------------------------
  84.  
  85.    Related issues
  86.  
  87.    [ ] Related to Exiv2 - Bug #1247: out of bounds read  Closed 21 Oct 2016
  88.        access in Exiv2::Image::setIccProfile            
  89.  
  90.   History
  91.  
  92.     #1 Updated by Robin Mills 8 months ago
  93.  
  94.    Hanno
  95.  
  96.    What are you doing here? This is another malformed file. It's very helpful
  97.    to have those files, however I can't deal with an avalanche of illegal
  98.    files at the moment. I'm in the end game of completing v0.26. The team
  99.    will meet on Sunday to discuss RC1 v0.26:
  100.    http://clanmills.com/exiv2/Exiv2v0-26RC1.pdf
  101.  
  102.    How about proceeding as follows:
  103.  
  104.    1) We change the title of #1247 to "Exceptions/Crashes due to malformed
  105.    input files"
  106.    2) When you find another file, update #1247 with the file and symptoms.
  107.  
  108.    Find all that you can and we'll deal with them in v0.27.
  109.  
  110.    Are you aware of the term "fuzzing"? I believe this is the art of creating
  111.    illegal files to put software under stress. I am aware that libexiv2 can
  112.    be exploited in this way, however I have never had time to work on this
  113.    topic. Images are read by the function readMetadata() in the image
  114.    handlers src/tiffimage.cpp, src/jpgimage.cpp/etc. It's probably necessary
  115.    to go through those functions line-by-line and devise files to break the
  116.    code. Then engineer a fix in the code. And that won't be the end of the
  117.    project - far from it. We can modify metadata/delete metadata which could
  118.    also put the code under great stress. Such a project is probably a very
  119.    considerable undertaking.
  120.  
  121.    Dealing with this by dumping files on me one-at-a-time is very inefficient
  122.    use of my time. The fix you provided earlier to #1247 was incorrect and
  123.    generated compiler warnings on GCC. And I added your test file to our test
  124.    harness. So, you've taken up 2 hours of my day. 2 hours that I would
  125.    prefer to use on the bug hunt for v0.26 #1230.
  126.  
  127.    If you'd like to take on the challenge of finding and fixing all of this,
  128.    I will happily assist/mentor you. However I'd like to avoid a very
  129.    discouraging avalanche of bug reports.
  130.  
  131.     #2 Updated by Robin Mills 8 months ago
  132.  
  133.      * Category set to image format
  134.      * Target version set to 0.27
  135.  
  136.     #3 Updated by Hanno Böck 8 months ago
  137.  
  138.    These files are actually a result of fuzzing. I'm using american fuzzy lop
  139.    in combination with address sanitizer. See here [1] [2] for some docs.
  140.  
  141.    If you feel it's more appropriate I can add them all to one bug.
  142.  
  143.    [1] https://fuzzing-project.org/tutorial2.html
  144.    [2] https://fuzzing-project.org/tutorial3.html
  145.  
  146.     #4 Updated by Robin Mills 8 months ago
  147.  
  148.    Hanno
  149.  
  150.    Thanks for doing this. I did more work on #1247 last night and again this
  151.    morning (I'm in England). I've thought of a way to cure/hide this by
  152.    adding a function Image::lint() which would have signal handlers.
  153.    Image::lint() would "sniff" files by running readMetadata() and
  154.    printStructure() in a safe context.
  155.  
  156.    I have closed #1247. As you discover additional issues, please update this
  157.    issue #1248. I'll add the Image::lint() function in v0.27 and this will
  158.    make the code immune to crashes on opening files. Image::lint() will make
  159.    the library safer. I will also look at small changes in readMetadata() and
  160.    printStructure() on a case-by-case basis.
  161.  
  162.    We are having a Team Meeting tomorrow at 13:00 UTC 2016-10-23. You are
  163.    welcome to join us if you wish. http://dev.exiv2.org/boards/3/topics/2767
  164.  
  165.    Robin
  166.  
  167.     #5 Updated by Robin Mills 8 months ago
  168.  
  169.      * Status changed from New to Assigned
  170.      * Assignee set to Robin Mills
  171.      * Estimated time set to 100.00
  172.  
  173.     #6 Updated by Hanno Böck 8 months ago
  174.  
  175.      * File exiv2-fpe-print0x9207-printTag.jpg added
  176.  
  177.    Attached a file causing a different floating point exception (may be the
  178.    same underlying bug).
  179.  
  180.    Stack trace:
  181.    15656ERROR: AddressSanitizer: FPE on unknown address 0x000000736534 (pc
  182.    0x000000736534 bp 0x0c0800001924 sp 0x7ffd491c0430 T0)
  183.    #0 0x736533 in Exiv2::ValueType<std::pair<int, int> >::toLong(long) const
  184.    /f/exiv2/trunk/include/exiv2/value.hpp:1666:32
  185.    #1 0x885227 in std::ostream& Exiv2::Internal::printTag<9,
  186.    Exiv2::Internal::exifMeteringMode>(std::ostream&, Exiv2::Value const&,
  187.    Exiv2::ExifData const*) /f/exiv2/trunk/src/tags_int.hpp:229:44
  188.    #2 0x8627b9 in Exiv2::Internal::print0x9207(std::ostream&, Exiv2::Value
  189.    const&, Exiv2::ExifData const*) /f/exiv2/trunk/src/tags.cpp:2733:16
  190.    #3 0x7093e4 in Exiv2::Exifdatum::write(std::ostream&, Exiv2::ExifData
  191.    const*) const /f/exiv2/trunk/src/exif.cpp:230:16
  192.    #4 0x610fcd in Action::Print::printTag(Exiv2::ExifData const&, std::string
  193.    const&, std::string const&) const /f/exiv2/trunk/src/actions.cpp:497:13
  194.    #5 0x5fb699 in Action::Print::printSummary()
  195.    /f/exiv2/trunk/src/actions.cpp:405:9
  196.    #6 0x5f5c58 in Action::Print::run(std::string const&)
  197.    /f/exiv2/trunk/src/actions.cpp:244:44
  198.    #7 0x5af24f in main /f/exiv2/trunk/src/exiv2.cpp:170:19
  199.    #8 0x7f99f63e778f in __libc_start_main (/lib64/libc.so.6+0x2078f)
  200.    #9 0x4d3088 in _start (/r/exiv2/exiv2+0x4d3088)
  201.  
  202.    AddressSanitizer can not provide additional info.
  203.    SUMMARY: AddressSanitizer: FPE
  204.    /f/exiv2/trunk/include/exiv2/value.hpp:1666:32 in
  205.    Exiv2::ValueType<std::pair<int, int> >::toLong(long) const
  206.    15656ABORTING
  207.  
  208.     #7 Updated by Hanno Böck 8 months ago
  209.  
  210.      * File heapoverflow-printIFDStructure-382.jpg added
  211.      * File heapoverflow-byteSwap4-printIFDStructure-429.jpg added
  212.  
  213.    Attached are two files causing (different) heap buffer overflows (one
  214.    writing and one reading) in exiv2.
  215.  
  216.    I have to add that these don't crash exiv2 for me. This is not uncommon
  217.    for memory safety bugs, it often depends on system, compiler behavior or
  218.    memory layout whether these cause an issue or not. You can reliably see
  219.    these bugs with address sanitizer, which is a feature of gcc and clang and
  220.    can be enabled by passing "-fsanitize=address" to the compiler flags.
  221.  
  222.    Address Sanitizer output for heapoverflow-printIFDStructure-382.jpg:
  223.    12115ERROR: AddressSanitizer: heap-buffer-overflow on address
  224.    0x60200000edd3 at pc 0x00000076004c bp 0x7fffe4bdfb90 sp 0x7fffe4bdfb88
  225.    WRITE of size 4 at 0x60200000edd3 thread T0
  226.    #0 0x76004b in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&,
  227.    std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)
  228.    /f/exiv2/trunk/src/image.cpp:382:17
  229.    #1 0x761168 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&,
  230.    std::ostream&, Exiv2::PrintStructureOption, int, unsigned long)
  231.    /f/exiv2/trunk/src/image.cpp:494:13
  232.    #2 0x89c0f9 in Exiv2::TiffImage::printStructure(std::ostream&,
  233.    Exiv2::PrintStructureOption, int) /f/exiv2/trunk/src/tiffimage.cpp:348:9
  234.    #3 0x894d98 in Exiv2::TiffImage::readMetadata()
  235.    /f/exiv2/trunk/src/tiffimage.cpp:191:9
  236.    #4 0x5f658c in Action::Print::printSummary()
  237.    /f/exiv2/trunk/src/actions.cpp:289:9
  238.    #5 0x5f5c58 in Action::Print::run(std::string const&)
  239.    /f/exiv2/trunk/src/actions.cpp:244:44
  240.    #6 0x5af24f in main /f/exiv2/trunk/src/exiv2.cpp:170:19
  241.    #7 0x7fc2bc7b278f in __libc_start_main (/lib64/libc.so.6+0x2078f)
  242.    #8 0x4d3088 in _start (/r/exiv2/exiv2+0x4d3088)
  243.  
  244.    0x60200000edd3 is located 2 bytes to the right of 1-byte region
  245.    [0x60200000edd0,0x60200000edd1)
  246.    allocated by thread T0 here:
  247.    #0 0x5abd40 in operator new[](unsigned long) (/r/exiv2/exiv2+0x5abd40)
  248.    #1 0x7589fa in Exiv2::DataBuf::DataBuf(long)
  249.    /f/exiv2/trunk/include/exiv2/types.hpp:204:46
  250.    #2 0x7589fa in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&,
  251.    std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)
  252.    /f/exiv2/trunk/src/image.cpp:381
  253.    #3 0x761168 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&,
  254.    std::ostream&, Exiv2::PrintStructureOption, int, unsigned long)
  255.    /f/exiv2/trunk/src/image.cpp:494:13
  256.  
  257.    Address Sanitizer output for
  258.    heapoverflow-byteSwap4-printIFDStructure-429.jpg:
  259.    31059ERROR: AddressSanitizer: heap-buffer-overflow on address
  260.    0x62700001b930 at pc 0x00000075fee6 bp 0x7ffc51df1a90 sp 0x7ffc51df1a88
  261.    READ of size 1 at 0x62700001b930 thread T0
  262.    #0 0x75fee5 in Exiv2::Image::byteSwap4(Exiv2::DataBuf&, unsigned long,
  263.    bool) /f/exiv2/trunk/src/image.cpp:265:16
  264.    #1 0x75fee5 in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&,
  265.    std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)
  266.    /f/exiv2/trunk/src/image.cpp:429
  267.    #2 0x761168 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&,
  268.    std::ostream&, Exiv2::PrintStructureOption, int, unsigned long)
  269.    /f/exiv2/trunk/src/image.cpp:494:13
  270.    #3 0x89c0f9 in Exiv2::TiffImage::printStructure(std::ostream&,
  271.    Exiv2::PrintStructureOption, int) /f/exiv2/trunk/src/tiffimage.cpp:348:9
  272.    #4 0x894d98 in Exiv2::TiffImage::readMetadata()
  273.    /f/exiv2/trunk/src/tiffimage.cpp:191:9
  274.    #5 0x5f658c in Action::Print::printSummary()
  275.    /f/exiv2/trunk/src/actions.cpp:289:9
  276.    #6 0x5f5c58 in Action::Print::run(std::string const&)
  277.    /f/exiv2/trunk/src/actions.cpp:244:44
  278.    #7 0x5af24f in main /f/exiv2/trunk/src/exiv2.cpp:170:19
  279.    #8 0x7f94d781178f in __libc_start_main (/lib64/libc.so.6+0x2078f)
  280.    #9 0x4d3088 in _start (/r/exiv2/exiv2+0x4d3088)
  281.  
  282.    0x62700001b930 is located 0 bytes to the right of 12336-byte region
  283.    [0x627000018900,0x62700001b930)
  284.    allocated by thread T0 here:
  285.    #0 0x5abd40 in operator new[](unsigned long) (/r/exiv2/exiv2+0x5abd40)
  286.    #1 0x7589fa in Exiv2::DataBuf::DataBuf(long)
  287.    /f/exiv2/trunk/include/exiv2/types.hpp:204:46
  288.    #2 0x7589fa in Exiv2::Image::printIFDStructure(Exiv2::BasicIo&,
  289.    std::ostream&, Exiv2::PrintStructureOption, unsigned int, bool, char, int)
  290.    /f/exiv2/trunk/src/image.cpp:381
  291.    #3 0x761168 in Exiv2::Image::printTiffStructure(Exiv2::BasicIo&,
  292.    std::ostream&, Exiv2::PrintStructureOption, int, unsigned long)
  293.    /f/exiv2/trunk/src/image.cpp:494:13
  294.  
  295.     #8 Updated by Robin Mills 8 months ago
  296.  
  297.    Thanks for working on this, Hanno. I've thought of a serious limitation
  298.    with my idea of the function Image::lint(). It has to modify and restore
  299.    signal handlers. If signal handlers are process wide, messing with them in
  300.    a single function can never be thread-safe without a lock. I never want to
  301.    add a hidden lock to libexiv2. None of this misery occurs with clang where
  302.    the code throws an Exiv2 exception. The host application doesn't crash and
  303.    can inform user that the file cannot be read.
  304.  
  305.     #9 Updated by Robin Mills 8 months ago
  306.  
  307.    I'm wondering if there is any point in working on this issue. It isn't an
  308.    issue when you build with clang. The problem is 100% due to elderly
  309.    compilers such as GCC and CL. It does not make sense to pollute the Exiv2
  310.    code with checks to remedy deficiencies in the build tools.
  311.  
  312.    The idea/proposal to write Image::lint() can never be implemented in a
  313.    thread safe manner.
  314.    http://stackoverflow.com/questions/5282099/signal-handling-in-pthreads
  315.  
  316.    I feel this issue and #1247 are "not a bug" and should be closed.
  317.  
  318.     #10 Updated by Robin Mills 8 months ago
  319.  
  320.    More proof that this is a build tools issue. I test last night's MSVC/2015
  321.    build. No problem:
  322.  
  323.  C:\temp\dist\2015\x64\dll\Release\bin>exiv2 -vV | grep -e svn -e date -e time -e compiler
  324.  compiler=MSVC
  325.  date=Oct 23 2016
  326.  time=02:46:49
  327.  svn=4655
  328.  have_gmtime_r=0
  329.  have_timegm=0
  330.  xmlns=mediapro:http://ns.iview-multimedia.com/mediapro/1.0/
  331.  
  332.  C:\temp\dist\2015\x64\dll\Release\bin>exiv2 -pa \Users\rmills\gnu\exiv2\trunk\test\data\exiv2-bug1247.jpg
  333.  Exiv2 exception in print action for file \Users\rmills\gnu\exiv2\trunk\test\data\exiv2-bug1247.jpg:
  334.  Not a valid ICC Profile
  335.  
  336.  C:\temp\dist\2015\x64\dll\Release\bin>exiv2 -pR \Users\rmills\gnu\exiv2\trunk\test\data\exiv2-bug1247.jpg
  337.  STRUCTURE OF JPEG FILE: \Users\rmills\gnu\exiv2\trunk\test\data\exiv2-bug1247.jpg
  338.   address | marker       |  length | data
  339.         0 | 0xffd8 SOI
  340.         2 | 0xffe2 APP2  |      16 | ICC_PROFILE.... chunk 0/0
  341.        18 | 0xffffffffff É"ÿ.∙Exiv2 exception in print action for file \Users\rmills\gnu\exiv2\trunk\test\data\exiv2-bug1247.jpg:
  342.  This does not look like a JPEG image
  343.  
  344.  C:\temp\dist\2015\x64\dll\Release\bin>
  345.  
  346.    Two simple questions:
  347.  
  348.    1) Why are we working on this?
  349.    2) Is there any reason I should not close this issue?
  350.  
  351.     #11 Updated by Robin Mills 8 months ago
  352.  
  353.      * Category changed from image format to not-a-bug
  354.      * Status changed from Assigned to Closed
  355.      * Target version changed from 0.27 to 0.26
  356.      * % Done changed from 0 to 100
  357.      * Estimated time changed from 100.00 to 5.00
  358.  
  359.     #12 Updated by Hanno Böck 8 months ago
  360.  
  361.    I'm not sure why you come to the conclusion these are not bugs....
  362.  
  363.    You say these don't affect clang, I can't reproduce that. All four issues
  364.    also happen with clang (latest version 3.9.0, on Linux). I'm also not
  365.    entirely sure if your comments are only related to the fpe issue or about
  366.    all issues (but you asked me to put unrelated bugs into one bugreport...)
  367.  
  368.    The floating point exception issues are "only" crashes, so I might
  369.    understand you say that you don't want to fix them, but the buffer
  370.    overflows are security issues. If it's not your intention to fix those
  371.    then this is very problematic and at the very least you need to clearly
  372.    state that exiv2 is not suitable for untrusted input.
  373.  
  374.     #13 Updated by Robin Mills 8 months ago
  375.  
  376.    I'm very unwilling to stick lots of code into Exiv2 to deal with illegal
  377.    files. It will be a very considerable undertaking which might have
  378.    unbounded scope. I'll build it with clang 3.9 and see what happens. If it
  379.    throws an exception, I don't want to dig deeper.
  380.  
  381.    I have to point out that I deal almost alone with Exiv2. I have to say
  382.    "No" to some requests. I am not under any obligation to you to say that it
  383.    is untrusted or anything else for that matter. If you had the courtesy to
  384.    say "Thank You for investigating this Robin and being willing to commit
  385.    100 hours to this matter", I would feel more enthusiasm for your request.
  386.    However you have been shown no appreciation for my cooperation.
  387.  
  388.     #14 Updated by Robin Mills 8 months ago
  389.  
  390.    One more comment. If you think this is a very important matter, the best
  391.    way to have it resolved is for you to join the team and work on the issue.
  392.  
  393.     #15 Updated by Robin Mills 8 months ago
  394.  
  395.    You are correct. It does crash on clang 3.9 on Linux.
  396.  
  397.  750 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ exiv2 -vVg compiler -g version -g date -g time
  398.  exiv2 0.25 001900 (64 bit build)
  399.  compiler=Clang
  400.  version=4.2.1 Compatible Clang 3.9.0 (tags/RELEASE_390/final)
  401.  date=Oct 31 2016
  402.  time=14:25:26
  403.  id=$Id: version.cpp 4590 2016-09-30 16:45:54Z robinwmills $
  404.  have_gmtime_r=1
  405.  have_timegm=1
  406.  xmlns=mediapro:http://ns.iview-multimedia.com/mediapro/1.0/
  407.  751 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ exiv2 -pa test/data/exiv2-bug1247.jpg
  408.  Exiv2 exception in print action for file test/data/exiv2-bug1247.jpg:
  409.  Not a valid ICC Profile
  410.  752 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ exiv2 -pR test/data/exiv2-bug1247.jpg
  411.  STRUCTURE OF JPEG FILE: test/data/exiv2-bug1247.jpg
  412.   address | marker       |  length | data
  413.         0 | 0xffd8 SOI
  414.         2 | 0xffe2 APP2  |      16 | ICC_PROFILE.... chunk 0/0
  415.  Segmentation fault (core dumped)
  416.  753 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $
  417.  
  418.    However, I'm not working on this. If I have a GSoC student to work on #992
  419.    in 2017, I will ask him to investigate this.
  420.  
  421.     #16 Updated by Robin Mills 8 months ago
  422.  
  423.    Apple Clang does not crash. It throws an exception. Here's the clang
  424.    version info for the current Xcode (8.1 8B62) on Sierra 10.12.1
  425.  
  426.  558 rmills@rmillsmbp:~/gnu/exiv2/trunk $ clang --version
  427.  Apple LLVM version 8.0.0 (clang-800.0.42.1)
  428.  Target: x86_64-apple-darwin16.1.0
  429.  Thread model: posix
  430.  InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
  431.  559 rmills@rmillsmbp:~/gnu/exiv2/trunk $
  432.  
  433.    Perhaps this has something to do with the Apple Sandbox. We need to
  434.    understand more to decide how best to deal with this. Hammering nails into
  435.    the Exiv2 image handling code to protect against any/every possible image
  436.    spec violation sounds like the road to nowhere. Clearly, we could launch
  437.    an external image-lint program (which could be exiv2 with a signal
  438.    handler). This adds considerable overhead to opening images - however it
  439.    would help. By testing the "safety" of the image in a separate process, we
  440.    avoid the need for a lock in libexiv2.
  441.  
  442.    I know nothing about hacking and exploiting buffer overflows. Perhaps we
  443.    need more caution about them. This is a mind-boggling issue. The code to
  444.    defend our image read/write code could be larger than the current library.
  445.    It appears that Apple have generated code which catches the crash. We need
  446.    more research on how to handle this within a library. And preferably a
  447.    method that doesn't require us to add thousands of if statements.
  448.  
  449.     #17 Updated by Robin Mills 8 months ago
  450.  
  451.    Here is a tool that we could investigate.
  452.    http://safecode.cs.illinois.edu/index.html It's a little elderly, however
  453.    I found a September 2015 version:
  454.    https://github.com/jtcriswell/safecode-llvm37/tree/master/cmake The LLVM
  455.    web site promotes SAFECode as a current project http://llvm.org For sure
  456.    that isn't working in clang 8.0 on MacOS-X:
  457.  
  458.  579 rmills@rmillsmbp:~/gnu/exiv2/trunk $ clang --version
  459.  Apple LLVM version 8.0.0 (clang-800.0.42.1)
  460.  Target: x86_64-apple-darwin16.1.0
  461.  Thread model: posix
  462.  InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
  463.  580 rmills@rmillsmbp:~/gnu/exiv2/trunk $ ./configure "CXXFLAGS=-g -fmemsafety"
  464.  checking for g++... g++
  465.  checking whether the C++ compiler works... no
  466.  configure: error: in `/Users/rmills/gnu/exiv2/trunk':
  467.  configure: error: C++ compiler cannot create executables
  468.  See `config.log' for more details
  469.  581 rmills@rmillsmbp:~/gnu/exiv2/trunk $
  470.  
  471.    Nor Linux with clang 3.9 on Ubuntu:
  472.  
  473.  ..827 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ which clang
  474.  /usr/bin/clang
  475.  828 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ clang --version
  476.  clang version 3.9.0-1ubuntu1 (tags/RELEASE_390/final)
  477.  Target: x86_64-pc-linux-gnu
  478.  Thread model: posix
  479.  InstalledDir: /usr/bin
  480.  829 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $ ./configure "CXXFLAGS=-g -fmemsafety"checking for g++... g++
  481.  checking whether the C++ compiler works... no
  482.  configure: error: in `/home/rmills/gnu/exiv2/trunk':
  483.  configure: error: C++ compiler cannot create executables
  484.  See `config.log' for more details
  485.  830 rmills@rmillsmbp-ubuntu:~/gnu/exiv2/trunk $
  486.  
  487.    Alien Skin Software are an Exiv2 User. I have been discussing with them to
  488.    add options to ImageFactory::open for something in which they are
  489.    interested. http://dev.exiv2.org/issues/1245#note-2
  490.  
  491.    Currently, we have an option bool bUseCurl.
  492.  
  493.      class EXIV2API ImageFactory {
  494.      ...
  495.      public:
  496.      ...
  497.          static BasicIo::AutoPtr createIo(const std::string& path, bool useCurl = true);
  498.      ...
  499.          static Image::AutoPtr open(const std::string& path, bool useCurl = true);
  500.      ...
  501.      };
  502.  
  503.    bool useCurl could be replaced with an enum bitmask. We could add an
  504.    option checkSafe which would invoke exiv2(.exe) in a separate process. We
  505.    have code in src/version.cpp to detect the location of the libexiv2.vv.so
  506.    (.dylib, .dll) library at run-time. We can take advantage of that to
  507.    determine the path to exiv2(.exe).
  508.  
  509.    Returning to Hanno's request that we say that Exiv2 is "not suitable for
  510.    untrusted input". I will not do that. The default (for all open source
  511.    software) is that the user must determine suitability for his/her
  512.    purposes. We do not claim that Exiv2 is safe for all files. I doubt if we
  513.    could ever make such a claim even if we pepper our code with checks for
  514.    malicious images. I don't believe in 2016 that it is possible to guarantee
  515.    the safety and reliability of any software.
  516.  
  517.    Also available in: Atom PDF
  518.  
  519.    Powered by Redmine © 2006-2012 Jean-Philippe Lang
  520.    Redmine Appliance - Powered by TurnKey Linux
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Pastebin PRO 'SUMMER SPECIAL'!
Get 40% OFF Pastebin PRO accounts!
 
Top