Exiv2 Out-of-Bounds Read Vulnerability in Preview Component Leading to Heap Buffer Overflow

A memory safety vulnerability has been identified in the Exiv2 library, specifically in the preview component, prior to version 0.28.8. The issue arises from an unsigned integer underflow in the `LoaderNative::getData()` function, which processes crafted EPS files containing a Photoshop IRB preview record with a data size less than 28 bytes. This underflow causes a massive out-of-bounds read from the heap, leading to a buffer overflow and a guaranteed crash of the application. The vulnerability can be exploited by running Exiv2 with the `-pp` argument to extract previews from the crafted EPS files.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, which can lead to memory corruption and potentially allow for arbitrary code execution. Additionally, the vulnerability causes a denial-of-service by crashing the Exiv2 application.

Reproduction

The vulnerability can be reproduced by building Exiv2 with AddressSanitizer enabled, using Clang as the compiler. After compiling the application, a crafted EPS file can be created using a Python script that generates a Photoshop IRB record with a data size of 4 bytes, which is less than the required minimum. This crafted EPS file can then be processed with the Exiv2 command-line tool using the `-pp` option, which triggers the vulnerability by causing the application to read approximately 4GB of data from the heap, leading to a crash.

Remediation

Users can upgrade to Exiv2 version 0.28.8, where this vulnerability has been patched.