xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1787 from Exiv2/mergify/bp/main/pr-1766

Browse Source 
Extra checking to prevent loop counter from wrapping around (backport #1766)
main
Kevin Backhouse 4 years ago committed by GitHub
parent 686702616c eb2782e685
commit 944e68fa15
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 87 additions and 26 deletions
Show Stats Download Patch File Download Diff File

4
src/actions.cpp
Unescape Escape View File

@ -603,8 +603,8 @@ namespace Action {
std::ostringstream os; std::ostringstream os;
// #1114 - show negative values for SByte // #1114 - show negative values for SByte
if (md.typeId() == Exiv2::signedByte) { if (md.typeId() == Exiv2::signedByte) {
for ( int c = 0 ; c < md.value().count() ; c++ ) { for ( long c = 0 ; c < md.value().count() ; c++ ) {
int value = md.value().toLong(c); long value = md.value().toLong(c);
os << (c?" ":"") << std::dec << (value < 128 ? value : value - 256); os << (c?" ":"") << std::dec << (value < 128 ? value : value - 256);
} }
} else { } else {

9
src/basicio.cpp
Unescape Escape View File

@ -1780,9 +1780,10 @@ namespace Exiv2 {
// find $right // find $right
findDiff = false; findDiff = false;
blockIndex = nBlocks - 1; blockIndex = nBlocks;
blockSize = p_->blocksMap_[blockIndex].getSize(); while (blockIndex > 0 && right < src.size() && !findDiff) {
while ((blockIndex + 1 > 0) && right < src.size() && !findDiff) { blockIndex--;
blockSize = p_->blocksMap_[blockIndex].getSize();
if(src.seek(-1 * (blockSize + right), BasicIo::end)) { if(src.seek(-1 * (blockSize + right), BasicIo::end)) {
findDiff = true; findDiff = true;
} else { } else {
@ -1797,8 +1798,6 @@ namespace Exiv2 {
} }
} }
} }
blockIndex--;
blockSize = static_cast<long>(p_->blocksMap_[blockIndex].getSize());
} }
delete []buf; delete []buf;

8
src/convert.cpp
Unescape Escape View File

@ -549,7 +549,7 @@ namespace Exiv2 {
auto pos = exifData_->findKey(ExifKey(from)); auto pos = exifData_->findKey(ExifKey(from));
if (pos == exifData_->end()) return; if (pos == exifData_->end()) return;
if (!prepareXmpTarget(to)) return; if (!prepareXmpTarget(to)) return;
for (int i = 0; i < pos->count(); ++i) { for (long i = 0; i < pos->count(); ++i) {
std::string value = pos->toString(i); std::string value = pos->toString(i);
if (!pos->value().ok()) { if (!pos->value().ok()) {
#ifndef SUPPRESS_WARNINGS #ifndef SUPPRESS_WARNINGS
@ -697,7 +697,7 @@ namespace Exiv2 {
if (pos == exifData_->end()) return; if (pos == exifData_->end()) return;
if (!prepareXmpTarget(to)) return; if (!prepareXmpTarget(to)) return;
std::ostringstream value; std::ostringstream value;
for (int i = 0; i < pos->count(); ++i) { for (long i = 0; i < pos->count(); ++i) {
value << static_cast<char>(pos->toLong(i)); value << static_cast<char>(pos->toLong(i));
} }
(*xmpData_)[to] = value.str(); (*xmpData_)[to] = value.str();
@ -710,7 +710,7 @@ namespace Exiv2 {
if (pos == exifData_->end()) return; if (pos == exifData_->end()) return;
if (!prepareXmpTarget(to)) return; if (!prepareXmpTarget(to)) return;
std::ostringstream value; std::ostringstream value;
for (int i = 0; i < pos->count(); ++i) { for (long i = 0; i < pos->count(); ++i) {
if (i > 0) value << '.'; if (i > 0) value << '.';
value << pos->toLong(i); value << pos->toLong(i);
} }
@ -828,7 +828,7 @@ namespace Exiv2 {
auto pos = xmpData_->findKey(XmpKey(from)); auto pos = xmpData_->findKey(XmpKey(from));
if (pos == xmpData_->end()) return; if (pos == xmpData_->end()) return;
std::ostringstream array; std::ostringstream array;
for (int i = 0; i < pos->count(); ++i) { for (long i = 0; i < pos->count(); ++i) {
std::string value = pos->toString(i); std::string value = pos->toString(i);
if (!pos->value().ok()) { if (!pos->value().ok()) {
#ifndef SUPPRESS_WARNINGS #ifndef SUPPRESS_WARNINGS

8
src/crwimage_int.cpp
Unescape Escape View File

@ -867,12 +867,16 @@ namespace Exiv2 {
assert(ifdId != ifdIdNotSet); assert(ifdId != ifdIdNotSet);
std::string groupName(Internal::groupName(ifdId)); std::string groupName(Internal::groupName(ifdId));
const uint32_t component_size = ciffComponent.size();
enforce(component_size % 2 == 0, kerCorruptedMetadata);
enforce(component_size/2 <= static_cast<uint32_t>(std::numeric_limits<uint16_t>::max()), kerCorruptedMetadata);
const uint16_t num_components = static_cast<uint16_t>(component_size/2);
uint16_t c = 1; uint16_t c = 1;
while (uint32_t(c)*2 < ciffComponent.size()) { while (c < num_components) {
uint16_t n = 1; uint16_t n = 1;
ExifKey key(c, groupName); ExifKey key(c, groupName);
UShortValue value; UShortValue value;
if (ifdId == canonCsId && c == 23 && ciffComponent.size() > 50) n = 3; if (ifdId == canonCsId && c == 23 && component_size >= 52) n = 3;
value.read(ciffComponent.pData() + c*2, n*2, byteOrder); value.read(ciffComponent.pData() + c*2, n*2, byteOrder);
image.exifData().add(key, &value); image.exifData().add(key, &value);
if (ifdId == canonSiId && c == 21) aperture = value.toLong(); if (ifdId == canonSiId && c == 21) aperture = value.toLong();

2
src/exif.cpp
Unescape Escape View File

@ -953,7 +953,7 @@ namespace {
long sumToLong(const Exiv2::Exifdatum& md) long sumToLong(const Exiv2::Exifdatum& md)
{ {
long sum = 0; long sum = 0;
for (int i = 0; i < md.count(); ++i) { for (long i = 0; i < md.count(); ++i) {
sum += md.toLong(i); sum += md.toLong(i);
} }
return sum; return sum;

6
src/exiv2.cpp
Unescape Escape View File

@ -1517,13 +1517,13 @@ namespace {
std::string parseEscapes(const std::string& input) std::string parseEscapes(const std::string& input)
{ {
std::string result; std::string result;
for (unsigned int i = 0; i < input.length(); ++i) { for (size_t i = 0; i < input.length(); ++i) {
char ch = input[i]; char ch = input[i];
if (ch != '\\') { if (ch != '\\') {
result.push_back(ch); result.push_back(ch);
continue; continue;
} }
int escapeStart = i; size_t escapeStart = i;
if (!(input.length() - 1 > i)) { if (!(input.length() - 1 > i)) {
result.push_back(ch); result.push_back(ch);
continue; continue;
@ -1544,7 +1544,7 @@ namespace {
result.push_back('\t'); result.push_back('\t');
break; break;
case 'u': // Escaping of unicode case 'u': // Escaping of unicode
if (input.length() - 4 > i) { if (input.length() >= 4 && input.length() - 4 > i) {
int acc = 0; int acc = 0;
for (int j = 0; j < 4; ++j) { for (int j = 0; j < 4; ++j) {
++i; ++i;

8
src/iptc.cpp
Unescape Escape View File

@ -22,6 +22,7 @@
#include "iptc.hpp" #include "iptc.hpp"
#include "types.hpp" #include "types.hpp"
#include "error.hpp" #include "error.hpp"
#include "enforce.hpp"
#include "value.hpp" #include "value.hpp"
#include "datasets.hpp" #include "datasets.hpp"
#include "jpgimage.hpp" #include "jpgimage.hpp"
@ -344,7 +345,10 @@ namespace Exiv2 {
void IptcData::printStructure(std::ostream& out, const Slice<byte*>& bytes, uint32_t depth) void IptcData::printStructure(std::ostream& out, const Slice<byte*>& bytes, uint32_t depth)
{ {
uint32_t i = 0; if (bytes.size() < 3) {
return;
}
size_t i = 0;
while (i < bytes.size() - 3 && bytes.at(i) != 0x1c) while (i < bytes.size() - 3 && bytes.at(i) != 0x1c)
i++; i++;
depth++; depth++;
@ -356,10 +360,12 @@ namespace Exiv2 {
char buff[100]; char buff[100];
uint16_t record = bytes.at(i + 1); uint16_t record = bytes.at(i + 1);
uint16_t dataset = bytes.at(i + 2); uint16_t dataset = bytes.at(i + 2);
enforce(bytes.size() - i >= 5, kerCorruptedMetadata);
uint16_t len = getUShort(bytes.subSlice(i + 3, bytes.size()), bigEndian); uint16_t len = getUShort(bytes.subSlice(i + 3, bytes.size()), bigEndian);
snprintf(buff, sizeof(buff), " %6d | %7d | %-24s | %6d | ", record, dataset, snprintf(buff, sizeof(buff), " %6d | %7d | %-24s | %6d | ", record, dataset,
Exiv2::IptcDataSets::dataSetName(dataset, record).c_str(), len); Exiv2::IptcDataSets::dataSetName(dataset, record).c_str(), len);
enforce(bytes.size() - i >= 5 + static_cast<size_t>(len), kerCorruptedMetadata);
out << buff << Internal::binaryToString(makeSlice(bytes, i + 5, i + 5 + (len > 40 ? 40 : len))) out << buff << Internal::binaryToString(makeSlice(bytes, i + 5, i + 5 + (len > 40 ? 40 : len)))
<< (len > 40 ? "..." : "") << (len > 40 ? "..." : "")
<< std::endl; << std::endl;

2
src/preview.cpp
Unescape Escape View File

@ -804,7 +804,7 @@ namespace {
enforce(size_ <= static_cast<uint32_t>(io.size()), kerCorruptedMetadata); enforce(size_ <= static_cast<uint32_t>(io.size()), kerCorruptedMetadata);
DataBuf buf(size_); DataBuf buf(size_);
uint32_t idxBuf = 0; uint32_t idxBuf = 0;
for (int i = 0; i < sizes.count(); i++) { for (long i = 0; i < sizes.count(); i++) {
uint32_t offset = dataValue.toLong(i); uint32_t offset = dataValue.toLong(i);
uint32_t size = sizes.toLong(i); uint32_t size = sizes.toLong(i);
enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata); enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata);

3
src/tags_int.cpp
Unescape Escape View File

@ -24,6 +24,7 @@
#include "convert.hpp" #include "convert.hpp"
#include "error.hpp" #include "error.hpp"
#include "enforce.hpp"
#include "i18n.h" // NLS support. #include "i18n.h" // NLS support.
#include "canonmn_int.hpp" #include "canonmn_int.hpp"
@ -2570,7 +2571,7 @@ namespace Exiv2 {
{ {
uint16_t bit = 0; uint16_t bit = 0;
uint16_t comma = 0; uint16_t comma = 0;
for (uint16_t i = 0; i < value.count(); i++ ) { // for each element in value array for (long i = 0; i < value.count(); i++ ) { // for each element in value array
auto bits = static_cast<uint16_t>(value.toLong(i)); auto bits = static_cast<uint16_t>(value.toLong(i));
for (uint16_t b = 0; b < 16; ++b) { // for every bit for (uint16_t b = 0; b < 16; ++b) { // for every bit
if (bits & (1 << b)) { if (bits & (1 << b)) {

4
src/tiffcomposite_int.cpp
Unescape Escape View File

@ -398,7 +398,7 @@ namespace Exiv2 {
return; return;
} }
uint32_t size = 0; uint32_t size = 0;
for (int i = 0; i < pSize->count(); ++i) { for (long i = 0; i < pSize->count(); ++i) {
size += static_cast<uint32_t>(pSize->toLong(i)); size += static_cast<uint32_t>(pSize->toLong(i));
} }
auto offset = static_cast<uint32_t>(pValue()->toLong(0)); auto offset = static_cast<uint32_t>(pValue()->toLong(0));
@ -455,7 +455,7 @@ namespace Exiv2 {
#endif #endif
return; return;
} }
for (int i = 0; i < pValue()->count(); ++i) { for (long i = 0; i < pValue()->count(); ++i) {
const auto offset = static_cast<uint32_t>(pValue()->toLong(i)); const auto offset = static_cast<uint32_t>(pValue()->toLong(i));
const byte* pStrip = pData + baseOffset + offset; const byte* pStrip = pData + baseOffset + offset;
const auto size = static_cast<uint32_t>(pSize->toLong(i)); const auto size = static_cast<uint32_t>(pSize->toLong(i));

6
src/tiffvisitor_int.cpp
Unescape Escape View File

@ -456,7 +456,7 @@ namespace Exiv2 {
// create vector of signedShorts from unsignedShorts in Exif.Canon.AFInfo // create vector of signedShorts from unsignedShorts in Exif.Canon.AFInfo
std::vector<int16_t> ints; std::vector<int16_t> ints;
std::vector<uint16_t> uint; std::vector<uint16_t> uint;
for (int i = 0; i < object->pValue()->count(); i++) { for (long i = 0; i < object->pValue()->count(); i++) {
ints.push_back(static_cast<int16_t>(object->pValue()->toLong(i))); ints.push_back(static_cast<int16_t>(object->pValue()->toLong(i)));
uint.push_back(static_cast<uint16_t>(object->pValue()->toLong(i))); uint.push_back(static_cast<uint16_t>(object->pValue()->toLong(i)));
} }
@ -505,10 +505,10 @@ namespace Exiv2 {
auto v = Exiv2::Value::create(record.bSigned ? Exiv2::signedShort : Exiv2::unsignedShort); auto v = Exiv2::Value::create(record.bSigned ? Exiv2::signedShort : Exiv2::unsignedShort);
std::ostringstream s; std::ostringstream s;
if (record.bSigned) { if (record.bSigned) {
for (int16_t k = 0; k < record.size; k++) for (uint16_t k = 0; k < record.size; k++)
s << " " << ints.at(nStart++); s << " " << ints.at(nStart++);
} else { } else {
for (int16_t k = 0; k < record.size; k++) for (uint16_t k = 0; k < record.size; k++)
s << " " << uint.at(nStart++); s << " " << uint.at(nStart++);
} }

2
src/xmp.cpp
Unescape Escape View File

@ -789,7 +789,7 @@ namespace Exiv2 {
if (i.typeId() == xmpBag || i.typeId() == xmpSeq || i.typeId() == xmpAlt) { if (i.typeId() == xmpBag || i.typeId() == xmpSeq || i.typeId() == xmpAlt) {
printNode(ns, i.tagName(), "", options); printNode(ns, i.tagName(), "", options);
meta.SetProperty(ns.c_str(), i.tagName().c_str(), nullptr, options); meta.SetProperty(ns.c_str(), i.tagName().c_str(), nullptr, options);
for (int idx = 0; idx < i.count(); ++idx) { for (long idx = 0; idx < i.count(); ++idx) {
const std::string item = i.tagName() + "[" + toString(idx + 1) + "]"; const std::string item = i.tagName() + "[" + toString(idx + 1) + "]";
printNode(ns, item, i.toString(idx), 0); printNode(ns, item, i.toString(idx), 0);
meta.SetProperty(ns.c_str(), item.c_str(), i.toString(idx).c_str()); meta.SetProperty(ns.c_str(), item.c_str(), i.toString(idx).c_str());

51
tests/bugfixes/github/test_issue_ghsa_hqjh_hpv8_8r9p.py
Unescape Escape View File

@ -0,0 +1,51 @@
# -*- coding: utf-8 -*-
from system_tests import CaseMeta, FileDecoratorBase, path
from struct import *
# The PoC is a fairly large file, mostly consisting of zero bytes,
# so it would be a waste of storage to check it into the repo.
# Instead, we can generate the PoC with a small amount of code:
class CreatePoC(FileDecoratorBase):
"""
This class copies files from test/data to test/tmp
Copied files are NOT removed in tearDown
Example: @CopyTmpFiles("$data_path/test_issue_1180.exv")
"""
#: override the name of the file list
FILE_LIST_NAME = '_tmp_files'
def setUp_file_action(self, expanded_file_name):
size = 0x20040
contents = pack('<2sI8sHHIIHHII', bytes(b'II'), 14, bytes(b'HEAPCCDR'), \
1, 0x300b, size - 26, 12, 1, 0x102a, size - 38, 12) + \
bytes(bytearray(size-38))
f = open(expanded_file_name, 'wb')
f.write(contents)
f.close()
def tearDown_file_action(self, f):
"""
Do nothing. We don't clean up TmpFiles
"""
# This decorator generates the PoC file.
@CreatePoC("$tmp_path/issue_ghsa_hqjh_hpv8_8r9p_poc.crw")
class CrwMapDecodeArrayInfiniteLoop(metaclass=CaseMeta):
"""
Regression test for the bug described in:
https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p
"""
url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-hqjh-hpv8-8r9p"
filename = path("$tmp_path/issue_ghsa_hqjh_hpv8_8r9p_poc.crw")
commands = ["$exiv2 $filename"]
stdout = [""]
stderr = [
"""Exiv2 exception in print action for file $filename:
$kerCorruptedMetadata
"""]
retval = [1]
Write Preview
Loading…
Cancel
Save