NullPointer in Action.c:718

Hello, I found a null pointer as argument of strncpy at Action.c:718. This can be triggered by specific command line arguments. version: exif-0.6.22 system: ubuntu-20.04 build: with asan POC: poc.zip command:

./exif --no-fixup -x poc

asan

AddressSanitizer:DEADLYSIGNAL
=================================================================
==223657==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8126ddd821 bp 0x7ffeba289580 sp 0x7ffeba288ce8 T0)
==223657==The signal is caused by a READ memory access.
==223657==Hint: address points to the zero page.
    #0 0x7f8126ddd820  (/lib/x86_64-linux-gnu/libc.so.6+0x18b820)
    #1 0x7f812700f5bf in __interceptor_strncpy (/lib/x86_64-linux-gnu/libasan.so.5+0xba5bf)
    #2 0x55a122fb278a in show_entry_xml /home/tl455047/target/exif/exif/actions.c:718
    #3 0x7f8126e8cbfe in exif_content_foreach_entry /home/tl455047/target/libexif/libexif/exif-content.c:225
    #4 0x7f8126e8cbfe in exif_content_foreach_entry /home/tl455047/target/libexif/libexif/exif-content.c:216
    #5 0x7f8126e98cfa in exif_data_foreach_content /home/tl455047/target/libexif/libexif/exif-data.c:1174
    #6 0x7f8126e98cfa in exif_data_foreach_content /home/tl455047/target/libexif/libexif/exif-data.c:1165
    #7 0x55a122fbbfba in action_tag_list_xml /home/tl455047/target/exif/exif/actions.c:747
    #8 0x55a122fb09b1 in main /home/tl455047/target/exif/exif/main.c:474
    #9 0x7f8126c790b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x55a122fb0e2d in _start (/home/tl455047/target/exif/exif/exif+0xce2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18b820) 
==223657==ABORTING

without asan

<exif>
    <Manufacturer>Canon</Manufacturer>
    <Model>Canon EOS 40D</Model>
    <Orientation>Top-left</Orientation>
    <Y-Resolution>72</Y-Resolution>
    <Resolution_Unit>Inch</Resolution_Unit>
    <Software>GIMP 2.4.5</Software>
    <Date_and_Time>2008:07:31 10:38:11</Date_and_Time>
    <YCbCr_Positioning>Co-sited</YCbCr_Positioning>
Segmentation fault

gdb

LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────
*RAX  0x0
 RBX  0xffffffff91a ◂— 0x0
*RCX  0xa5
 RDX  0x400
 RDI  0x7fffffffcd70 ◂— 'YCbCr_Positioning'
*RSI  0x0
*R8   0xa5
*R9   0x606000002250 —▸ 0x603000000220 —▸ 0x60e000000040 —▸ 0x604000000510 —▸ 0x50000829a ◂— ...
*R10  0xc080000018a ◂— 0x0
*R11  0x0
 R12  0x7fffffffd210 ◂— 0x0
 R13  0x7fffffffcd70 ◂— 'YCbCr_Positioning'
*R14  0x604000000c50 —▸ 0x40000a925 ◂— 0x0
 R15  0x603000000160 —▸ 0x607000000560 —▸ 0x604000000250 —▸ 0x20000010f ◂— 0x0
 RBP  0x7fffffffc8d0 ◂— 0x41b58ab3
 RSP  0x7fffffffc8c0 —▸ 0x7fffffffc8d0 ◂— 0x41b58ab3
 RIP  0x555555562786 (show_entry_xml+518) ◂— call   0x55555555edb0
────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x555555562786 <show_entry_xml+518>    call   strncpy@plt                <strncpy@plt>
        dest: 0x7fffffffcd70 ◂— 'YCbCr_Positioning'
        src: 0x0
        n: 0x400

   0x55555556278b <show_entry_xml+523>    lea    rdi, [r12 - 0xa1]
   0x555555562793 <show_entry_xml+531>    mov    r15, rdi
   0x555555562796 <show_entry_xml+534>    mov    rdx, rdi
   0x555555562799 <show_entry_xml+537>    shr    r15, 3
   0x55555556279d <show_entry_xml+541>    and    edx, 7
   0x5555555627a0 <show_entry_xml+544>    movzx  eax, byte ptr [r15 + 0x7fff8000]
   0x5555555627a8 <show_entry_xml+552>    cmp    al, dl
   0x5555555627aa <show_entry_xml+554>    jg     show_entry_xml+564                <show_entry_xml+564>

   0x5555555627ac <show_entry_xml+556>    test   al, al
   0x5555555627ae <show_entry_xml+558>    jne    show_entry_xml+2052                <show_entry_xml+2052>
─────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/tl455047/target/exif/exif/actions.c
   713  if (*ids) {
   714      fprintf (stdout, "<x%04x>", e->tag);
   715      fprintf (stdout, "%s", escape_xml(exif_entry_get_value (e, v, sizeof (v))));
   716      fprintf (stdout, "</x%04x>", e->tag);
   717  } else {
 ► 718      strncpy (t, exif_tag_get_title_in_ifd(e->tag, exif_entry_get_ifd(e)), sizeof (t));
   719      t[sizeof(t)-1] = 0;
   720 
   721      /* Remove invalid characters from tag eg. (, ), space */
   722      remove_bad_chars(t);
   723 
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffc8c0 —▸ 0x7fffffffc8d0 ◂— 0x41b58ab3
01:0008│     0x7fffffffc8c8 —▸ 0x7ffff74636a0 (_IO_2_1_stdout_) —▸ 0xfbad2a84 ◂— 0x0
02:0010│ rbp 0x7fffffffc8d0 ◂— 0x41b58ab3
03:0018│     0x7fffffffc8d8 —▸ 0x555555577488 ◂— '2 32 1024 5 v:711 1184 1024 5 t:711'
04:0020│     0x7fffffffc8e0 —▸ 0x555555562580 (show_entry_xml) ◂— lea    rsp, [rsp - 0x98]
05:0028│     0x7fffffffc8e8 —▸ 0x7ffff730aad1 (_IO_do_write+177) ◂— mov    r13, rax
06:0030│     0x7fffffffc8f0 ◂— 'Co-sited'
07:0038│     0x7fffffffc8f8 ◂— 0x0
───────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x555555562786 show_entry_xml+518
   f 1   0x7ffff74b1bff exif_content_foreach_entry+255
   f 2   0x7ffff74b1bff exif_content_foreach_entry+255
   f 3   0x7ffff74bdcfb exif_data_foreach_content+187
   f 4   0x7ffff74bdcfb exif_data_foreach_content+187
   f 5   0x55555556bfbb action_tag_list_xml+379
   f 6   0x5555555609b2 main+5554
   f 7   0x7ffff729e0b3 __libc_start_main+243

libexif / exif

NullPointer in Action.c:718 #5