In August 2022, a security vulnerability was identified in Exiv2, a widely used C++ library and command-line utility for reading, writing, and manipulating image metadata. This particular issue, tracked as CVE-2022-3718 (VDB-212349), impacts the QuickTimeVideo::decodeBlock function located in the quicktimevideo.cpp file, which is part of the QuickTime Video Handler component. Due to improper handling of certain video files, the code can be tricked into dereferencing a null pointer, leading to a crash (null pointer dereference). This problem can be exploited remotely by an attacker supplying a crafted file.

In this post, we break down the vulnerability, demonstrate how it works, show the relevant code, and discuss remediation.

About Exiv2 and the Vulnerable Function

Exiv2 deals with metadata in image and video files. The QuickTime handler is used for processing QuickTime video file metadata, and QuickTimeVideo::decodeBlock is a key method for this task.

A bug in this method means that, under certain conditions (such as a malformed or malicious QuickTime video file), the function may attempt to use a pointer that hasn't been properly initialized, causing a null pointer dereference. This usually results in the application crashing. For software that processes files automatically (like photo galleries or web services), this could mean remote denial of service.

Where is the Problem?

Here’s a simplified version demonstrating the vulnerability. The real code is larger, but this chunk illustrates the issue:

int QuickTimeVideo::decodeBlock(Block *p) {
    Frame *frame = p->frame;
    // ... (some processing)
    int result = processFrame(frame);
    // ... (more processing)
}

If a crafted file is passed in such a way that p->frame is nullptr, when processFrame(frame) is called, it will cause a null pointer dereference:

int processFrame(Frame *frame) {
    // Unsafe dereference without null-check
    if (frame->width > ) { // <-- Crash if frame is nullptr!
        // ...
    }
    // ...
}

An attacker can trigger this scenario by uploading or sending a special QuickTime file to a victim system running a vulnerable version of Exiv2.

Steps to Reproduce

1. Prepare a malicious QuickTime video file with crafted metadata that causes p->frame to be nullptr when parsed by Exiv2.
2. Upload (or otherwise supply) this file to any service or tool using Exiv2 to scan or process incoming videos/images.
3. Trigger the vulnerability when the file is processed; Exiv2 will crash due to the null pointer dereference.

This is a typical denial of service (DoS) scenario — no arbitrary code execution, but it can take down services that rely on Exiv2.

Suppose you have the following crash log

Segmentation fault (core dumped)
#  x000000000041c59 in processFrame(QuickTimeVideo::Frame*) at quicktimevideo.cpp:210
#1  x0000000000410188 in QuickTimeVideo::decodeBlock(Block*) at quicktimevideo.cpp:165

The logs show that processFrame was given a null pointer, and a dereference attempt crashed the program.

The Fix

The fix (patch name: 459910c36a21369c09b75bcfa82f287c9da56abf) adds a null pointer check to prevent the crash. In simplified form:

int QuickTimeVideo::decodeBlock(Block *p) {
    Frame *frame = p->frame;
    if (!frame) {
        // Proper error handling
        return -1; // Or any other error code
    }
    int result = processFrame(frame);
    // ...
}

Now, the function gracefully fails instead of blindly passing a bad pointer forward.

Vector: Remote (specially crafted file)

- Affected versions: Exiv2 versions before the patch was applied (see commit 459910c3 for exact state)

CVE ID: CVE-2022-3718

- Additional Reference: VULDB-212349

Remediation

- Upgrade Exiv2 to a version after the patch 459910c36a21369c09b75bcfa82f287c9da56abf
- If immediate upgrade is not possible, filter user-supplied files and avoid processing untrusted QuickTime files with Exiv2.

- Exiv2 Official Site
- GitHub Patch Commit
- CVE-2022-3718 Detail - NVD
- Vuldb - VDB-212349

Summary

CVE-2022-3718 is a problematic null pointer dereference in Exiv2's QuickTime video handler. It allows remote attackers to crash applications with a malicious file. The issue was fixed by properly checking for null pointers before dereferencing them. Applications using Exiv2 should apply the patch as soon as possible to protect against service disruptions.


If you use Exiv2, always keep your dependencies up to date. A single vulnerability in a library can bring down your service if overlooked!

Timeline

Published on: 10/27/2022 11:15:00 UTC
Last modified on: 10/28/2022 19:43:00 UTC