Merge pull request #2384 from kevinbackhouse/fix-issue-2383

Avoid null pointer deref
3 years ago · 03abb2c109
parent 222c45c154 6bb956ad80
commit 03abb2c109
4 changed files with 15 additions and 0 deletions
--- a/src/quicktimevideo.cpp
+++ b/src/quicktimevideo.cpp
@ -834,6 +834,7 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {
    }

    else if (equalsQTimeTag(buf, "CMbo") || equalsQTimeTag(buf, "Cmbo")) {
+      enforce(tv, Exiv2::ErrorCode::kerCorruptedMetadata);
      io_->readOrThrow(buf.data(), 2);
      buf.data()[2] = '\0';
      tv_internal = find(cameraByteOrderTags, Exiv2::toString(buf.data()));
--- a/test/data/issue_2383_poc.mp4
+++ b/test/data/issue_2383_poc.mp4
--- a/tests/bugfixes/github/test_issue_2383.py
+++ b/tests/bugfixes/github/test_issue_2383.py
@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, check_no_ASAN_UBSAN_errors
+
+class issue_2383_QuickTimeVideo_userDataDecoder_null_deref(metaclass=CaseMeta):
+    url      = "https://github.com/Exiv2/exiv2/issues/2383"
+    filename = "$data_path/issue_2383_poc.mp4"
+    commands = ["$exiv2 $filename"]
+    retval   = [1]
+    stderr   = ["""$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""]
+    stdout   = [""]
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@ -63,6 +63,7 @@ def get_valid_files(data_dir):
        "issue_2366_poc.mp4",
        "issue_2376_poc.mp4",
        "issue_2377_poc.mp4",
+        "issue_2383_poc.mp4",
        "2018-01-09-exiv2-crash-001.tiff",
        "cve_2017_1000126_stack-oob-read.webp",
        "exiv2-bug1247.jpg",