From 571d056222887b1f9d236c3512dd919062a28ede Mon Sep 17 00:00:00 2001 From: clanmills Date: Mon, 6 Apr 2020 10:33:59 +0100 Subject: [PATCH] fix_1091_0.27 --- src/bigtiffimage.cpp | 13 ++++++++++ test/data/issue_712_poc.tif | Bin 0 -> 3720 bytes tests/bugfixes/github/test_issue_712.py | 30 ++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 test/data/issue_712_poc.tif create mode 100644 tests/bugfixes/github/test_issue_712.py diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index 5d4a5944..68a57f90 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -193,6 +193,19 @@ namespace Exiv2 { BasicIo& io = Image::io(); + // Fix for https://github.com/Exiv2/exiv2/issues/712 + // A malicious file can cause a very deep recursion, leading to + // stack exhaustion. + // Note: 200 is an arbitrarily chosen cut-off value. The value + // of depth determines the amount of indentation inserted by the + // pretty-printer. The output starts to become unreadable as + // soon as the indentation exceeds 80 characters or so. That's + // why 200 ought to be a reasonable cut-off. + if (depth > 200) { + out << Internal::indent(depth) << "Maximum indentation depth exceeded." << std::endl; + return; + } + depth++; bool bFirst = true; diff --git a/test/data/issue_712_poc.tif b/test/data/issue_712_poc.tif new file mode 100644 index 0000000000000000000000000000000000000000..d5287d736cb4f1570816a719610039c36297b5d0 GIT binary patch literal 3720 zcmds4O-NKx6h6;C)F5?=#MBxIYEe-r(QKk&7S@PD8$m)`$Wi&DyW4&5X`1fP(l!5AWz@9_ucpI`x_@(WL@yhefQpX?m6E%-#N#8{wy`q z(BK%=G){S^x@E>I^6aB6`O#yGc@L{)^G+#pyt$e9Ytv>4=la~azvgZJa}!?udn%Vo zrA7SNgUj%OlM!T(D0eiw>eXd(nURK8^@fd1E?m2r7#tw}j_))~%>2WGDPT+n5JgOx9EWL3_n%XfNW#2dJ#XS!DAYS` zA*;k`3UHdU{fD^$=4su#5HMPES~0V0W3DkvQfO?`ly8(q%0(cT#s9lTwkQL9LLq_2j6O3J7@xSs6aB(Xz7{n zAAubKPaTxA2fxitm;g-pZq}lmOTbsgiNYR_fYVUMCEzwEK;uF7dl6UcN%;|XG-goD z+D>pyfEq4nLI}S>qcSvBSi0!}asLzVYQO<{7f%gwC!tO_5-lnDOc8sOw*p+ORD`iX zCU)bn&BUUTFGwl!bm0q~s+KKXa0n^l8(^A|M8!oHY8*anlNeGA)Hv%ZFRCL6LDLNh zST6;Mv9-tH8U!ZBp_{ZIQ6;TVthq76MFh&?f{7OW%Vo6`rY?1-zn5h|dBP42i;i%HpZ>E+&Dz zJA-N>NxCJPq_JXx8QSS!ZW;BHaUiN9rQwaX2+6i;Y4BZ{_NGCHd&~9&!mAT8!K)~R zQptS+zDFs<;A8@d>EMs1e~5BA@guuoyUC*5G(=jIv%!(u4)!n&(!tj9f7b2~d#fCFrfb*7S)2WVG?aVoc*Rtk^#pZd5kotH5JW-)^w4=mtAzUATfulTy8K?9<~T zJxhzB6TTv${$I^vvE&XpkR~d!&QQVnQ<^W8UYA%FKj|H}@pN-gT!z|_*2%3v3R6F8 TsQdiBOLmFQO`SeQS9$dp7VBrH literal 0 HcmV?d00001 diff --git a/tests/bugfixes/github/test_issue_712.py b/tests/bugfixes/github/test_issue_712.py new file mode 100644 index 00000000..0005b916 --- /dev/null +++ b/tests/bugfixes/github/test_issue_712.py @@ -0,0 +1,30 @@ +import system_tests + + +class BigTiffImageRecursionStackExhaustion( + metaclass=system_tests.CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/issues/712 + + A malicious input file can cause BigTiffImage::printIFD() to + recurse arbitrarily deep, causing a crash due to stack exhaustion. + + The bug only existed in the -pR mode, which is now only enabled + in debug builds. + """ + url = "https://github.com/Exiv2/exiv2/issues/790" + + filename = system_tests.path( + "$data_path/issue_712_poc.tif" + ) + commands = ["$exiv2 -b -u -k pr $filename"] + stdout = ["File name : " + filename + """ +File size : 3720 Bytes +MIME type : +Image size : 0 x 0 +""" +] + stderr = [filename + """: No Exif data found in the file +"""] + retval = [253]