Skip to content

There is a null-pointer-dereference bug in WEBP_Support.hpp:45

Submitted by xiao

Assigned to Hubert Figuiere @hub

Link to original bug (#106981)

Description

Created attachment 140255 poc file

Reading symbols from aflbuild/installed/bin/exempi...done. [New LWP 18] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `aflbuild/installed/bin/exempi -x -o out 1-poc-data-null-pointer'. Program terminated with signal SIGSEGV, Segmentation fault.

#0  WEBP::GetLE32 (data=<optimized out>) at ../../../../exempi-2.4.5/XMPFiles/source/FormatSupport/WEBP_Support.hpp:45
45	    return (XMP_Uns32)GetLE16(data) | (GetLE16(data + 2) << 16);
gdb-peda$ bt
#0  WEBP::GetLE32 (data=<optimized out>) at ../../../../exempi-2.4.5/XMPFiles/source/FormatSupport/WEBP_Support.hpp:45
#1  WEBP::VP8XChunk::xmp (this=0x155f850, hasXMP=hasXMP@entry=0x1) at ../../../../exempi-2.4.5/XMPFiles/source/FormatSupport/WEBP_Support.cpp:163
#2  0x00007f4f100cb484 in WEBP::Container::Container (this=0x155f450, handler=0x155f230) at ../../../../exempi-2.4.5/XMPFiles/source/FormatSupport/WEBP_Support.cpp:210
#3  0x00007f4f0ff05598 in WEBP_MetaHandler::CacheFileData (this=0x155f230) at ../../../../exempi-2.4.5/XMPFiles/source/FileHandlers/WEBP_Handler.cpp:89
#4  0x00007f4f0fdd72e3 in DoOpenFile (openFlags=<optimized out>, format=0x20202020, clientPath=0x7fffe9c928fc "1-poc-data-null-pointer", clientIO=0x0, thiz=0x155f020) at ../../../exempi-2.4.5/XMPFiles/source/XMPFiles.cpp:908
#5  XMPFiles::OpenFile (this=0x155f020, clientPath=0x7fffe9c928fc "1-poc-data-null-pointer", format=0x20202020, openFlags=<optimized out>) at ../../../exempi-2.4.5/XMPFiles/source/XMPFiles.cpp:1011
#6  0x00007f4f0fdc5961 in WXMPFiles_OpenFile_1 (xmpObjRef=0x155f020, filePath=0x7fffe9c928fc "1-poc-data-null-pointer", format=0x20202020, openFlags=0x1, wResult=0x7fffe9c913e0)
    at ../../../exempi-2.4.5/XMPFiles/source/WXMPFiles.cpp:234
#7  0x00007f4f0fb0fb84 in TXMPFiles<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >::OpenFile (this=this@entry=0x1559fd0, filePath=filePath@entry=0x7fffe9c928fc "1-poc-data-null-pointer", 
    format=format@entry=0x20202020, openFlags=openFlags@entry=0x1) at ../../exempi-2.4.5/public/include/client-glue/TXMPFiles.incl_cpp:313
#8  0x00007f4f0faf1154 in xmp_files_open_new (path=path@entry=0x7fffe9c928fc "1-poc-data-null-pointer", options=options@entry=XMP_OPEN_READ) at ../../exempi-2.4.5/exempi/exempi.cpp:280
#9  0x000000000040577d in get_xmp_from_file (filename=filename@entry=0x7fffe9c928fc "1-poc-data-null-pointer", no_reconcile=no_reconcile@entry=0x0, is_an_xmp=is_an_xmp@entry=0x0) at ../../exempi-2.4.5/exempi/main.cpp:235
#10 0x00000000004030e9 in dump_xmp (outio=0x155edf0, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, filename=0x7fffe9c928fc "1-poc-data-null-pointer") at ../../exempi-2.4.5/exempi/main.cpp:250
#11 process_file (output="out", prop_value="", value_name="", action=<optimized out>, dump_xml=<optimized out>, write_in_place=<optimized out>, is_an_xmp=<optimized out>, no_reconcile=<optimized out>, 
    filename=0x7fffe9c928fc "1-poc-data-null-pointer") at ../../exempi-2.4.5/exempi/main.cpp:340
#12 main (argc=<optimized out>, argc@entry=0x5, argv=0x7fffe9c917f8, argv@entry=0x7fffe9c917d8) at ../../exempi-2.4.5/exempi/main.cpp:187
#13 0x00007f4f0f149830 in __libc_start_main (main=0x401880 <main(int, char**)>, argc=0x5, argv=0x7fffe9c917d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffe9c917c8)
    at ../csu/libc-start.c:291
#14 0x0000000000405489 in _start ()

Attachment 140255, "poc file":
1-poc-data-null-pointer

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information