xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add bounds check on allocation size. (#854)

Browse Source
v0.27.3
Kevin Backhouse 6 years ago committed by Luis Díaz Más
parent fe538e9438
commit 80cd0d2990
3 changed files with 38 additions and 3 deletions
Show Stats Download Patch File Download Diff File

15
src/jpgimage.cpp
Unescape Escape View File

@ -31,6 +31,7 @@
#include "futils.hpp" #include "futils.hpp"
#include "helper_functions.hpp" #include "helper_functions.hpp"
#include "enforce.hpp" #include "enforce.hpp"
#include "safe_op.hpp"
#ifdef WIN32 #ifdef WIN32
#include <windows.h> #include <windows.h>
@ -459,6 +460,10 @@ namespace Exiv2 {
--search; --search;
} }
else if ( marker == app2_ && memcmp(buf.pData_ + 2, iccId_,11)==0) { else if ( marker == app2_ && memcmp(buf.pData_ + 2, iccId_,11)==0) {
if (size < 2+14) {
rc = 8;
break;
}
// ICC profile // ICC profile
if ( ! foundIccData ) { if ( ! foundIccData ) {
foundIccData = true ; foundIccData = true ;
@ -481,14 +486,18 @@ namespace Exiv2 {
io_->seek( 14+2, BasicIo::cur); // step header io_->seek( 14+2, BasicIo::cur); // step header
// read in profile // read in profile
// #1286 profile can be padded // #1286 profile can be padded
DataBuf icc((chunk==1&&chunks==1)?s:size-2-14); long icc_size = size-2-14;
if ( icc.size_ > size-2-14) throw Error(kerInvalidIccProfile); if (chunk==1 && chunks==1) {
enforce(s <= static_cast<uint32_t>(icc_size), kerInvalidIccProfile);
icc_size = s;
}
DataBuf icc(icc_size);
io_->read( icc.pData_,icc.size_); io_->read( icc.pData_,icc.size_);
if ( !iccProfileDefined() ) { // first block of profile if ( !iccProfileDefined() ) { // first block of profile
setIccProfile(icc,chunk==chunks); setIccProfile(icc,chunk==chunks);
} else { // extend existing profile } else { // extend existing profile
DataBuf profile(iccProfile_.size_+icc.size_); DataBuf profile(Safe::add(iccProfile_.size_, icc.size_));
if ( iccProfile_.size_ ) { if ( iccProfile_.size_ ) {
::memcpy(profile.pData_,iccProfile_.pData_,iccProfile_.size_); ::memcpy(profile.pData_,iccProfile_.pData_,iccProfile_.size_);
} }

BIN
test/data/issue_853_poc.jpg
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

26
tests/bugfixes/github/test_issue_853.py
Unescape Escape View File

@ -0,0 +1,26 @@
# -*- coding: utf-8 -*-
from system_tests import CaseMeta, path
class DenialOfServiceInAdjustTimeOverflow(metaclass=CaseMeta):
"""
Regression test for the bug described in:
https://github.com/Exiv2/exiv2/issues/853
The date parsing code in XMPUtils::ConvertToDate does not
check that the month and day are in bounds. This can cause a
denial of service in AdjustTimeOverflow because it adjusts
out-of-bounds days in a loop that subtracts one month per
iteration.
"""
url = "https://github.com/Exiv2/exiv2/issues/853"
filename = path("$data_path/issue_853_poc.jpg")
commands = ["$exiv2 $filename"]
stdout = [""]
stderr = [
"""Exiv2 exception in print action for file $filename:
Not a valid ICC Profile
"""]
retval = [1]
Write Preview
Loading…
Cancel
Save