From 74cb5bab132ed76adf15df172c5e8b58cddaa96c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Wed, 27 Sep 2017 23:38:49 +0200 Subject: [PATCH] Fixed wrong brackets: size*count + pad can overflow before the cast => Should fix #76 (most of the work has been done by Robin Mills in 6e3855aed7ba8bb4731fc4087ca7f9078b2f3d97) The problem with #76 is the contents of the 26th IFD, with the following contents: tag: 0x8649 type: 0x1 count: 0xffff ffff offset: 0x4974 The issue is the size of count (uint32_t), as adding anything to it causes an overflow. Especially the expression: (size*count + pad+20) results in an overflow and gives 20 as a result instead of 0x100000014, thus the condition in the if in the next line is false and the program continues to run (until it crashes at io.read). To properly account for the overflow, the brackets have to be removed, as then the result is saved in the correctly sized type and not cast after being calculated in the smaller type. The brackets have also been removed from bigtiffimage.cpp, where the same issue is present. --- src/bigtiffimage.cpp | 2 +- src/image.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index dc8c2f86..b1dcd27a 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -227,7 +227,7 @@ namespace Exiv2 : 1; // #55 memory allocation crash test/data/POC8 - long long allocate = (long long) (size*count + pad); + long long allocate = (long long) size*count + pad; if ( allocate > (long long) io.size() ) { throw Error(57); } diff --git a/src/image.cpp b/src/image.cpp index c19fb989..ce79c0a6 100644 --- a/src/image.cpp +++ b/src/image.cpp @@ -402,7 +402,7 @@ namespace Exiv2 { // if ( offset > io.size() ) offset = 0; // Denial of service? // #55 memory allocation crash test/data/POC8 - long long allocate = (long long) (size*count + pad+20); + long long allocate = (long long) size*count + pad+20; if ( allocate > (long long) io.size() ) { throw Error(57); }