Merge pull request #1798 from Exiv2/mergify/bp/main/pr-1789

&bytes[0] (std::vector) will crash if bytes has zero elements (backport #1789)
4 years ago · 01b109e8ff
parent 81bf649540 3892634771
commit 01b109e8ff
3 changed files with 34 additions and 12 deletions
--- a/src/image.cpp
+++ b/src/image.cpp
@ -467,20 +467,20 @@ namespace Exiv2 {
                            seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata);
                        }
                    } else if ( option == kpsRecursive && tag == 0x83bb /* IPTCNAA */ ) {
                        if (count > 0) {
                            if (static_cast<size_t>(Safe::add(count, offset)) > io.size()) {
                                throw Error(kerCorruptedMetadata);
                            }
-                        if (static_cast<size_t>(Safe::add(count, offset)) > io.size()) {
+                            const long restore = io.tell();
-                            throw Error(kerCorruptedMetadata);
+                            seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata);  // position
                            std::vector<byte> bytes(count) ;  // allocate memory
                            // TODO: once we have C++11 use bytes.data()
                            readOrThrow(io, &bytes[0], count, kerCorruptedMetadata);
                            seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata);
                            // TODO: once we have C++11 use bytes.data()
                            IptcData::printStructure(out, makeSliceUntil(&bytes[0], count), depth);
                        }
                        const long restore = io.tell();
                        seekOrThrow(io, offset, BasicIo::beg, kerCorruptedMetadata);  // position
                        std::vector<byte> bytes(count) ;  // allocate memory
                        // TODO: once we have C++11 use bytes.data()
                        readOrThrow(io, &bytes[0], count, kerCorruptedMetadata);
                        seekOrThrow(io, restore, BasicIo::beg, kerCorruptedMetadata);
                        // TODO: once we have C++11 use bytes.data()
                        IptcData::printStructure(out, makeSliceUntil(&bytes[0], count), depth);
                    }  else if ( option == kpsRecursive && tag == 0x927c /* MakerNote */ && count > 10) {
                        const long restore = io.tell();  // save
--- a/test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg
+++ b/test/data/issue_ghsa_g44w_q3vm_gwjq_poc.jpg
--- a/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py
+++ b/tests/bugfixes/github/test_issue_g44w_q3vm_gwjq.py
@ -0,0 +1,22 @@
 # -*- coding: utf-8 -*-
 from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
 import unittest
@unittest.skip("Skipping test using option -pR (only for Debug mode)")
 class ImagePrintIFDStructureZeroCountAssert(metaclass=CaseMeta):
    """
    Regression test for the bug described in:
    https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq
    """
    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-g44w-q3vm-gwjq"
    filename = path("$data_path/issue_ghsa_g44w_q3vm_gwjq_poc.jpg")
    commands = ["$exiv2 -pR $filename"]
    stderr = ["""invalid type in tiff structure0
 Exiv2 exception in print action for file $filename:
 $kerInvalidTypeValue
 """]
    retval = [1]
    compare_stdout = check_no_ASAN_UBSAN_errors