Bug#779696: metacam: segmentation fault at getRATIONAL dpyfuncs.cc:938

Henri Salo henri at nerv.fi
Wed Mar 4 06:55:20 UTC 2015 

Package: metacam
Version: 1.2-6
Severity: important
Tags: security

metacam crashes when using following example input file fuzzed with AFL
<http://lcamtuf.coredump.cx/afl/>.

727e57e1d8f6a88bdefee47198ff8ab94fe2e1dc  afl-metacam-sample-002.jpg

Starting program: metacam afl-metacam-sample-002.jpg
File: afl-metacam-sample-002.jpg
  Standard Fields -----------------------------------
                        Make: EASTMAN KODAK COMPANY
                       Model: KODAK CX4200 DIGITAL CAMERA
            Software Version: Ver�on 1.0100
                X Resolution: 230 Pixels/Inch
                Y Resolution: 230 Pixels/Inch
             Bits Per Sample: (1)
           YCbCr Positioning: Datum Point
WARNING: Unknown field type 65535
WARNING: Unknown field type 65535
WARNING: Unknown field type 37
WARNING: Unknown field type 136
WARNING: Unknown field type 144
WARNING: Unknown field type 12432
WARNING: Unknown field type 5264
WARNING: Unknown field type 10385
WARNING: Unknown field type 145
WARNING: Unknown field type 19602
WARNING: Unknown field type 21650
WARNING: Unknown field type 23698
WARNING: Unknown field type 25746
WARNING: Unknown field type 27794
WARNING: Unknown field type 146
WARNING: Unknown field type 146
WARNING: Unknown field type 29842
WARNING: Unknown field type 25
  EXIF Fields ---------------------------------------
               Exposure Time: 35882743/38096943 Sec.
                    Aperture: f59.3514
            Exif Image Width: 1705168 pixels
           Exif Image Height: 1632 pixels
               Exposure Mode: Auto Exposure
               White Balance: Auto White Balance
              Sensing Method: Single Chip Color Area Sensor
                  ColorSpace: sRGB

Program received signal SIGSEGV, Segmentation fault.
getRATIONAL (this=<optimized out>) at dpyfuncs.cc:938
938     }

(gdb) bt
#0  getRATIONAL (this=<optimized out>) at dpyfuncs.cc:938
#1  dpyRationalAsDouble (ctx=..., name=<optimized out>, e=..., units=0x0) at dpyfuncs.cc:346
#2  0x000000000040ebe3 in displayTags (driver=driver at entry=0x661010, header=header at entry=0x45820d "EXIF Fields", tag_map=..., known=<optimized out>, verbose=0) at metacam.cc:86
#3  0x000000000040742f in processFile (is=..., fname=<optimized out>, driver=0x661010) at metacam.cc:296
#4  main (argc=<optimized out>, argv=<optimized out>) at metacam.cc:359
#5  0x00007ffff72d1ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe4b8) at libc-start.c:244
#6  0x000000000040c271 in _start ()

(gdb) list
933               17 42 33 43 06 - ?? only on D ??
934               00 00 00 00 00 02 02 - ?? don't know ?? constant
935
936     */
937
938     }

-- 
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afl-metacam-sample-002.jpg
Type: image/jpeg
Size: 1642 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/9de55b0f/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/forensics-devel/attachments/20150304/9de55b0f/attachment-0001.sig>

More information about the forensics-devel mailing list