From e492285d3adc3a79609963ff7e81f790fb06428f Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Sat, 17 Jul 2021 15:55:36 +0100 Subject: [PATCH 1/3] Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq (cherry picked from commit 756f28197d39c4d2230f2e02ff214cbfd1cd032e) --- test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg | Bin 0 -> 347 bytes .../github/test_issue_g44w_q3vm_gwjq.py | 20 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg create mode 100644 tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py diff --git a/test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg b/test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg new file mode 100644 index 0000000000000000000000000000000000000000..039b43d6be73fcf8d60b0f8c9c1c7c64a0bfdfb6 GIT binary patch literal 347 zcmex=JsfeFac1!9Kg z-3+WCnpnUHRJek1_UzeUBSe9`BaGHy_N}HFU>c-?p*@p<1xSI|k3jtJ)SMiJ%o2sn zVueJ7sl~aOIjNNjB^e+o2vF?+sfU8y)CCL-nN^8NsU;Z-AsP9(1;zP!dI~a3<_sK0 Z1_l;}MkYpofcAPYKwPEA@E;T01OO$Mc3J=c literal 0 HcmV?d00001 diff --git a/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py b/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py new file mode 100644 index 00000000..9a44a925 --- /dev/null +++ b/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- + +from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors + +class ImagePrintIFDStructureZeroCountAssert(metaclass=CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq + """ + url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq" + + filename = path("$data_path/issue_ghsa_g44w_q3vm_gwjq_poc.jpg") + commands = ["$exiv2 -p R $filename"] + stderr = ["""invalid type in tiff structure0 +Exiv2 exception in print action for file $filename: +$kerInvalidTypeValue +"""] + retval = [1] + + compare_stdout = check_no_ASAN_UBSAN_errors From c3239e3187aa7bf194252b375940bb451d14210f Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Sat, 17 Jul 2021 15:58:16 +0100 Subject: [PATCH 2/3] &bytes[0] will crash if bytes has zero elements. (cherry picked from commit 3e72d129e53b14e0b62d74aefed6bbd326562d63) --- src/image.cpp | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/image.cpp b/src/image.cpp index 1428e6b0..cde7d4a0 100644 --- a/src/image.cpp +++ b/src/image.cpp @@ -467,20 +467,20 @@ namespace Exiv2 { seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); } } else if ( option == kpsRecursive && tag == 0x83bb /* IPTCNAA */ ) { + if (count > 0) { + if (static_cast(Safe::add(count, offset)) > io.size()) { + throw Error(kerCorruptedMetadata); + } - if (static_cast(Safe::add(count, offset)) > io.size()) { - throw Error(kerCorruptedMetadata); + const long restore = io.tell(); + seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata); // position + std::vector bytes(count) ; // allocate memory + // TODO: once we have C++11 use bytes.data() + readOrThrow(io, &bytes[0], count, kerCorruptedMetadata); + seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); + // TODO: once we have C++11 use bytes.data() + IptcData::printStructure(out, makeSliceUntil(&bytes[0], count), depth); } - - const long restore = io.tell(); - seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata); // position - std::vector bytes(count) ; // allocate memory - // TODO: once we have C++11 use bytes.data() - readOrThrow(io, &bytes[0], count, kerCorruptedMetadata); - seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata); - // TODO: once we have C++11 use bytes.data() - IptcData::printStructure(out, makeSliceUntil(&bytes[0], count), depth); - } else if ( option == kpsRecursive && tag == 0x927c /* MakerNote */ && count > 10) { const long restore = io.tell(); // save From 3892634771c188c6ef058b0e0ab1fb5a52a19336 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Sat, 17 Jul 2021 22:06:06 +0100 Subject: [PATCH 3/3] Skip unittest because -pR is disabled in release builds so the test fails. (cherry picked from commit f3be36dfb6aac28a12cf179f4d615789bd72ad55) --- tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py b/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py index 9a44a925..cf17b65d 100644 --- a/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py +++ b/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py @@ -1,7 +1,9 @@ # -*- coding: utf-8 -*- from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors +import unittest +@unittest.skip("Skipping test using option -pR (only for Debug mode)") class ImagePrintIFDStructureZeroCountAssert(metaclass=CaseMeta): """ Regression test for the bug described in: @@ -10,7 +12,7 @@ class ImagePrintIFDStructureZeroCountAssert(metaclass=CaseMeta): url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq" filename = path("$data_path/issue_ghsa_g44w_q3vm_gwjq_poc.jpg") - commands = ["$exiv2 -p R $filename"] + commands = ["$exiv2 -pR $filename"] stderr = ["""invalid type in tiff structure0 Exiv2 exception in print action for file $filename: $kerInvalidTypeValue