SEGV on Exiv2::PngImage::printStructure

[legend-issue]

STRUCTURE OF PNG FILE: ./fuzzdata_2018_5_13_11_28_25/crash/SEGV-0x607000010000_output__1526182114.43
 address | chunk |  length | data                           | checksum
       8 | IHDR  |      13 | ...o...Z....                   | 0xb672087e
      33 | bKGD  |       6 | ......                         | 0xa0bda793
      51 | pHYs  |       9 | ...H...H                       | 0x46c96b3e
      72 | IDAT  |   20639 | x...y.e.U....p.7.......5.U.... | 0x7b95dac3
   20723 | tEXt  |      37 | date:create.2012-06-19T16:25:2 | 0x6d339eca
   20772 | tEXt  |      37 | date:modify.2012-06-19T16:25:2 | 0x1c6e2676
   20821 | tEXt  |      70 | software.ImageMagick 6.7.3-4 2 | 0x0c7b7a53
ASAN:SIGSEGV
==54820==ERROR: AddressSanitizer: SEGV on unknown address 0x607000010000 (pc 0x7f8c9117c3e6 bp 0x000000000009 sp 0x7ffe60505b10 T0)
    #0 0x7f8c9117c3e5 in Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int) (/home/aflgo/song/exiv2/src/.libs/libexiv2.so.26+0x1963e5)
    #1 0x415a85 in Action::Print::printStructure(std::ostream&, Exiv2::PrintStructureOption) (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x415a85)
    #2 0x41d5d1 in Action::Print::run(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x41d5d1)
    #3 0x4070dd in main (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x4070dd)
    #4 0x7f8c906a482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x4073b8 in _start (/home/aflgo/song/exiv2/bin/.libs/lt-exiv2+0x4073b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 Exiv2::PngImage::printStructure(std::ostream&, Exiv2::PrintStructureOption, int)
==54820==ABORTING

The command line is exiv2 -pR [poc].
And I think you need to use ASAN to reproduce. Otherwise,it can't crash and it's like an information leak.
https://github.com/legend-issue/pocs/blob/master/exiv2/SEGV-0x607000010000_output__1526182114.43

[piponazo]

Hi @legend-issue , could you please make the POC accessible? It seems that the link is broken.

[legend-issue]

Sorry,I think it's OK now!

[piponazo]

Yes 😃 , we'll take a look ASAP

[fgeek]

Can't reproduce in bb20191 or c80b1b9 with or without ASan. Are you sure you are fuzzing the latest code commit?

[legend-issue]

I think it's the latest code commit after I check it.I find this without fuzz.I just compile with ASAN and use some testcases. @fgeek

[fgeek]

Someone has requested a CVE identifier for this issue (not sure why), which is https://nvd.nist.gov/vuln/detail/CVE-2018-11037

[D4N]

I can neither reproduce this on master.

@legend-issue Could you please provide us with the commit with which you build this? Otherwise I am going to close this issue.

[D4N]

I am closing this issue, as it cannot be reproduced.