Merge pull request #2916 from kevinbackhouse/fix-GHSA-g9xm-7538-mq8w

Avoid out-of-bounds read in QuickTimeVideo::NikonTagsDecoder
1 year ago · 11c4db8f0c
parent 36e3d55fed 79ab2f6ae2
commit 11c4db8f0c
4 changed files with 22 additions and 2 deletions
--- a/src/quicktimevideo.cpp
+++ b/src/quicktimevideo.cpp
@ -906,7 +906,7 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {

 void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
  size_t cur_pos = io_->tell();
-  DataBuf buf(200);
+  DataBuf buf(201);
  DataBuf buf2(4 + 1);
  uint32_t TagID = 0;
  uint16_t dataLength = 0;
@ -1027,14 +1027,16 @@ void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
      std::memset(buf.data(), 0x0, buf.size());

      // Sanity check with an "unreasonably" large number
-      if (dataLength > 200) {
+      if (dataLength >= buf.size()) {
 #ifndef SUPPRESS_WARNINGS
        EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
                  << " Entries considered invalid. Not Processed.\n";
 #endif
        io_->seek(io_->tell() + dataLength, BasicIo::beg);
+        buf.data()[0] = '\0';
      } else {
        io_->readOrThrow(buf.data(), dataLength);
+        buf.data()[dataLength] = '\0';
      }

      if (td) {
--- a/test/data/issue_ghsa_g9xm_7538_mq8w_poc.mov
+++ b/test/data/issue_ghsa_g9xm_7538_mq8w_poc.mov
--- a/tests/bugfixes/github/test_issue_ghsa_g9xm_7538_mq8w.py
+++ b/tests/bugfixes/github/test_issue_ghsa_g9xm_7538_mq8w.py
@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
+
+class QuickTimeVideoNikonTagsDecoderOutOfBoundsRead(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w
+    """
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w"
+
+    filename = path("$data_path/issue_ghsa_g9xm_7538_mq8w_poc.mov")
+    commands = ["$exiv2 $filename"]
+    retval = [1]
+
+    compare_stdout = check_no_ASAN_UBSAN_errors
+    compare_stderr = check_no_ASAN_UBSAN_errors
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@ -117,6 +117,7 @@ def get_valid_files(data_dir):
        "issue_ghsa_7569_phvm_vwc2_poc.jp2",
        "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
        "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
+        "issue_ghsa_g9xm_7538_mq8w_poc.mov",
        "pocIssue283.jpg",
        "poc_1522.jp2",
        "xmpsdk.xmp",