xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2916 from kevinbackhouse/fix-GHSA-g9xm-7538-mq8w

Browse Source 
Avoid out-of-bounds read in QuickTimeVideo::NikonTagsDecoder
main
Kevin Backhouse 1 year ago committed by GitHub
parent 36e3d55fed 79ab2f6ae2
commit 11c4db8f0c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File

6
src/quicktimevideo.cpp
Unescape Escape View File

@ -906,7 +906,7 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {
void QuickTimeVideo::NikonTagsDecoder(size_t size_external) { void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
size_t cur_pos = io_->tell(); size_t cur_pos = io_->tell();
DataBuf buf(200); DataBuf buf(201);
DataBuf buf2(4 + 1); DataBuf buf2(4 + 1);
uint32_t TagID = 0; uint32_t TagID = 0;
uint16_t dataLength = 0; uint16_t dataLength = 0;
@ -1027,14 +1027,16 @@ void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
std::memset(buf.data(), 0x0, buf.size()); std::memset(buf.data(), 0x0, buf.size());
// Sanity check with an "unreasonably" large number // Sanity check with an "unreasonably" large number
if (dataLength > 200) { if (dataLength >= buf.size()) {
#ifndef SUPPRESS_WARNINGS #ifndef SUPPRESS_WARNINGS
EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200." EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
<< " Entries considered invalid. Not Processed.\n"; << " Entries considered invalid. Not Processed.\n";
#endif #endif
io_->seek(io_->tell() + dataLength, BasicIo::beg); io_->seek(io_->tell() + dataLength, BasicIo::beg);
buf.data()[0] = '\0';
} else { } else {
io_->readOrThrow(buf.data(), dataLength); io_->readOrThrow(buf.data(), dataLength);
buf.data()[dataLength] = '\0';
} }
if (td) { if (td) {

BIN
test/data/issue_ghsa_g9xm_7538_mq8w_poc.mov
View File

Binary file not shown.

17
tests/bugfixes/github/test_issue_ghsa_g9xm_7538_mq8w.py
Unescape Escape View File

@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
class QuickTimeVideoNikonTagsDecoderOutOfBoundsRead(metaclass=CaseMeta):
"""
Regression test for the bug described in:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w
"""
url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w"
filename = path("$data_path/issue_ghsa_g9xm_7538_mq8w_poc.mov")
commands = ["$exiv2 $filename"]
retval = [1]
compare_stdout = check_no_ASAN_UBSAN_errors
compare_stderr = check_no_ASAN_UBSAN_errors

1
tests/regression_tests/test_regression_allfiles.py
Unescape Escape View File

@ -117,6 +117,7 @@ def get_valid_files(data_dir):
"issue_ghsa_7569_phvm_vwc2_poc.jp2", "issue_ghsa_7569_phvm_vwc2_poc.jp2",
"issue_ghsa_mxw9_qx4c_6m8v_poc.jp2", "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
"issue_ghsa_hrw9_ggg3_3r4r_poc.jpg", "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
"issue_ghsa_g9xm_7538_mq8w_poc.mov",
"pocIssue283.jpg", "pocIssue283.jpg",
"poc_1522.jp2", "poc_1522.jp2",
"xmpsdk.xmp", "xmpsdk.xmp",

Write Preview
Loading…
Cancel
Save