Merge pull request #1027 from Exiv2/mergify/bp/0.27-maintenance/pr-1020

crwimage: Check offset and size against total size (bp #1020)
6 years ago · 50e9dd964a
parent 0fd1ad3ed0 0a4fdae360
commit 50e9dd964a
4 changed files with 18 additions and 0 deletions
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@ -268,6 +268,9 @@ namespace Exiv2 {
 #ifdef EXIV2_DEBUG_MESSAGES
        std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(kerOffsetOutOfRange);
+
        readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef EXIV2_DEBUG_MESSAGES
        std::cout << "<---- 0x" << std::hex << tag() << "\n";
--- a/test/data/POC-file_issue_1019
+++ b/test/data/POC-file_issue_1019
--- a/tests/bugfixes/github/test_issue_1019.py
+++ b/tests/bugfixes/github/test_issue_1019.py
@ -0,0 +1,14 @@
+from system_tests import CaseMeta, path
+
+
+class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta):
+
+    filename = path("$data_path/POC-file_issue_1019")
+    commands = ["$exiv2 -pv $filename"]
+    stdout = [""]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerOffsetOutOfRange
+"""
+    ]
+    retval = [1]
--- a/tests/suite.conf
+++ b/tests/suite.conf
@ -20,6 +20,7 @@ easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension}
 taglist: ${ENV:exiv2_path}/taglist${ENV:binary_extension}

 [variables]
+kerOffsetOutOfRange: Offset out of range
 kerFailedToReadImageData: Failed to read image data
 kerCorruptedMetadata: corrupted image metadata
 kerInvalidMalloc: invalid memory allocation request