Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toLong function in value.cpp, related to crafted metadata in a TIFF file.
Exiv2 0.26 is vulnerable to a Null Pointer Dereference when processing specially crafted TIFF image files. This flaw allows attackers to potentially crash applications or achieve remote code execution (RCE) by exploiting a vulnerability in the Exiv2::DataValue::toLong function, leading to a denial-of-service or worse.
Step 1: Payload Delivery: The attacker crafts a malicious TIFF image file containing specially crafted metadata designed to trigger the vulnerability.
Step 2: File Ingestion: The victim application, which uses Exiv2 0.26, opens or processes the malicious TIFF file. This could happen through various means, such as a user opening the file, a web server processing an uploaded image, or an automated image processing pipeline.
Step 3: Metadata Parsing: Exiv2's parsing routines begin to analyze the TIFF file's metadata.
Step 4: Vulnerability Trigger: The Exiv2::DataValue::toLong function is called to convert a specific metadata value.
Step 5: Null Pointer Dereference: Due to the crafted metadata, the toLong function attempts to dereference a null pointer, leading to a crash.
Step 6: Potential for RCE: While the primary impact is a crash (Denial of Service), in some scenarios, a skilled attacker might be able to leverage this crash to achieve remote code execution (RCE) by carefully crafting the malicious TIFF file to overwrite specific memory locations and control program execution. This is highly dependent on the application's memory layout and the attacker's ability to predict memory addresses.
The vulnerability lies within the Exiv2::DataValue::toLong function in value.cpp of Exiv2 0.26. The function is responsible for converting data values from metadata within image files. The root cause is a Null Pointer Dereference. Specifically, the code fails to properly validate data read from a crafted TIFF file. When processing certain metadata structures, the function attempts to dereference a null pointer, leading to a crash. This occurs because the TIFF file's metadata can be manipulated to cause the function to access an invalid memory address. The crafted TIFF file contains malicious metadata that triggers the vulnerability when parsed by Exiv2. This could be due to incorrect handling of data types, sizes, or offsets within the TIFF file's structure. The lack of proper input validation allows for the injection of malicious data that leads to the null pointer dereference.