Merge pull request #1523 from Exiv2/fix_1522_jp2image_exif_asan

Fix 1522 jp2image exif asan
4 years ago · 05ec05342e
parent 4bf2e19628 cac151ec05
commit 05ec05342e
3 changed files with 31 additions and 3 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -28,6 +28,7 @@
 #include "image.hpp"
 #include "image_int.hpp"
 #include "basicio.hpp"
+#include "enforce.hpp"
 #include "error.hpp"
 #include "futils.hpp"
 #include "types.hpp"
@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
                            if (io_->error()) throw Error(kerFailedToReadImageData);
                            if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);

-                            if (rawData.size_ > 0)
+                            if (rawData.size_ > 8) // "II*\0long"
                            {
                                // Find the position of Exif header in bytes array.
                                long pos = (     (rawData.pData_[0]      == rawData.pData_[1])
@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
                position   = io_->tell();
                box.length = getLong((byte*)&box.length, bigEndian);
                box.type = getLong((byte*)&box.type, bigEndian);
+                enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);

                if (bPrint) {
                    out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
                                throw Error(kerInputDataReadFailed);

                            if (bPrint) {
-                                out << Internal::binaryToString(makeSlice(rawData, 0, 40));
+                                out << Internal::binaryToString(
+                                        makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
                                out.flush();
                            }
                            lf(out, bLF);

-                            if (bIsExif && bRecursive && rawData.size_ > 0) {
+                            if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
                                if ((rawData.pData_[0] == rawData.pData_[1]) &&
                                    (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
                                    BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));
--- a/test/data/poc_1522.jp2
+++ b/test/data/poc_1522.jp2
--- a/tests/bugfixes/github/test_issue_1522.py
+++ b/tests/bugfixes/github/test_issue_1522.py
@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+class issue_1522_exif_asan(metaclass=system_tests.CaseMeta):
+    url      = "https://github.com/Exiv2/exiv2/issues/1522"
+    filename = "$data_path/poc_1522.jp2"
+    commands = ["$exiv2     $filename"
+               ,"$exiv2 -pS $filename"
+               ]
+    retval   = [ 253,1 ] 
+    stderr   = [ """Warning: Failed to decode Exif metadata.
+$filename: No Exif data found in the file
+""","""$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""] 
+    stdout   = ["""File name       : $filename
+File size       : 268 Bytes
+MIME type       : image/jp2
+Image size      : 0 x 0
+""","""STRUCTURE OF JPEG2000 FILE: $filename
+ address |   length | box       | data
+       0 |       12 | jP        | 
+      12 |       25 | uuid      | Exif: .
+"""
+]