From 9b7f1de5c08b62e405c554eca9c44e864e0f48ab Mon Sep 17 00:00:00 2001 From: Andreas Huggel Date: Fri, 31 Aug 2012 04:30:53 +0000 Subject: [PATCH] #841: Do not read past the end of the data stream (file), added test case. --- src/pngimage.cpp | 4 +++- test/bugfixes-test.sh | 7 +++++++ test/data/bugfixes-test.out | Bin 106735 -> 106845 bytes test/data/exiv2-bug841.png | Bin 0 -> 2585 bytes 4 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 test/data/exiv2-bug841.png diff --git a/src/pngimage.cpp b/src/pngimage.cpp index 3407371a..b527901e 100644 --- a/src/pngimage.cpp +++ b/src/pngimage.cpp @@ -118,6 +118,7 @@ namespace Exiv2 { } clearMetadata(); + const long imgSize = io_->size(); DataBuf cheaderBuf(8); // Chunk header size : 4 bytes (data size) + 4 bytes (chunk type). while(!io_->eof()) @@ -134,7 +135,8 @@ namespace Exiv2 { // Decode chunk data length. uint32_t dataOffset = Exiv2::getULong(cheaderBuf.pData_, Exiv2::bigEndian); - if (dataOffset > 0x7FFFFFFF) throw Exiv2::Error(14); + long pos = io_->tell(); + if (pos == -1 || static_cast(dataOffset) > imgSize - pos) throw Exiv2::Error(14); // Perform a chunk triage for item that we need. diff --git a/test/bugfixes-test.sh b/test/bugfixes-test.sh index 56cb285f..c5fad4f3 100755 --- a/test/bugfixes-test.sh +++ b/test/bugfixes-test.sh @@ -248,6 +248,13 @@ else printf "($num skipped) " >&3 fi +num=841 +filename=exiv2-bug$num.png +printf "$num " >&3 +echo '------>' Bug $num '<-------' >&2 +cp -f ../data/$filename $filename +$bin/exiv2 $filename + ) 3>&1 > $results 2>&1 printf "\n" diff --git a/test/data/bugfixes-test.out b/test/data/bugfixes-test.out index c78ecaf9279b0f70f5d95b4c94b60a2a47369942..29dbe3284d1d8b095d763fdf895ca5d418be9080 100644 GIT binary patch delta 122 zcmaEVknQdvwuUW??-%6hf`OfaQ)#+_g^8hp4Maef%e5l2%t#@%B0067Br`uxAu~^* zpeQr1L?JO5%umZNQb^0pNd+naD%4FXO$Tb%E67W?;&Mv_il-=)T5nU_l7tPBVB>b7M^(Ml(BOt)S9^zR zV8C@3H0T-~a*Y|5#z&SXN0+Dk{riU>P_*vt1mkGDvnE#OK4%<{)g#n)Z$!sxSnE2j zX&0;U1nb8BF{{E%RpaLrc=sjzW+Z->fZr#C??fc5CJJodiV;yJBF;jxN^O;8_9~S_ zUGAtJa*vL!Orw~iCg${As@56VxcXp+th7D+V01fw}VI3OQqTzOQ+Z}XQC0bjE?$1IGih^}&V%;0;#kEgdac5iwd{Uw%phBsNsjYMN693( zJyrLwD;?jlJ00QhQjo?-E?y=TS}Cd#O2HsSK8!0E!4!=7g9;2kYZy`lLM4NcY5=P0 zgBt5FnrduoFJ?d!W?@`(oGWq_PpleI0{zRX9p7`?-L(40LGUa|=^_`7Qu6gwnT{;$ zCCK`TG96ZSHv}Xd3Xu+mNcADo0e_eReF)en>+=s_H9AaR4;EouaC}kdQjUATml@f) z+WAjj>l&@@Nl@}EyT~cbD5J{y!ezZUnKm>}i<5Tar47)<pQ<;2GcWe#?C(P;N>DSv&$ybjfvH-x?Ww>?8ekRg&NEeg^nAdiU^sOD6b<( z>-~jE3&W%eqAZyxyFirsiV~Gk#OkoDc0#t+H&9~W)^uU&Cm@|8e{gZXa3tm;_l+w+ zpI-T<>t&K=pHcTLw8j&zu%Elt6eq7G7AKPwDIj8gk|)`DV(vv^j=v<(e}Di6a`jNL z9#=l#(=`j9E^*@>iBe>K&I9zBl^fkJ_?iQ1<37+y3L7s+9VS$C=&7rJa%0m|KuLAv^Prs;n8PT#D zTI(Sy5L|gWNy&?pQ)9E)PDvb79LEr|W5leO3>Gb&NljX!g2#}s0nJR~uml{2fK3y`M+n6+dDf-G*BP~Vzt*N${z>r!a#5>a8rmHPBp35T7=W&Vr?{Y1YjH6}cZPKn5i z$!Ln&8Nin7gYQfRJPxFmu-*H*^M&Et1463{->5m(GyjiH70{!8EFvu? zS}=R8XZPck6CY3940saA*hp3(PRphVb=zb3vg3u}<^itN5Y|-0$nOSvjO+qe%nMBA zu~Ux+{x^!49-ehMT3AX4`YjznIr;JA&48zYvEJlL#BJR&p-MJ}avOFHH-4dC7u-w{ zeCZ!Z5F~O0@nFLrOAyC8dZ35^&8G=VV}(tu4DA=9A>Zv&Hv`@UGB=ae$TG5RLe*^E zt!P9ht^?g3cBhCX@8d{|csYFDExvz6~o66$~jtiGu`iV{u4N!{}xT@h3 z?$Cf&@3Xd(YY~raX93l;HI`|ZzIW{*&=cfO=r!lT&dM!I%;6_y^Am6J<0UEanJMw2 z6mEvExb%0?(n?~}nwUp)RI!p!Jbk8lH-q*ic4i0$zK4&+%9$9nj znNcm-!D=yM2KG4h0`zkw6FMUT$$#GG#Nqq5izu-g2J32Hzwr$nDnUI$HnIuxsp8) zBlqBJ{orT1ns@Y4@Ov*m1UmP@myO7V>wy(j^Q>8f^y!pNozR<7Jq-rP)z9Pe54k@U zmw(8~KV;`0Mi;#WQH$P2Dc^iDl6}H~JK+j>&mHo?67IugJP6RgecabL_YJVOJG?%< z>a{w@*(261%xA8EfnMPToVlXNw_LBBxmY*GYBro2O!&whdeRecaxLiOde8@3rvvwX zANcT8;G+TUQ42uRA zMEwiO7E4Qo-H_)Vy6vP}lWBH7&FQE4`LrdzZJAG7;m3IR^ff+XogcfwXL|XpO+I^z z&)L4r*|`FKCivojZnJwAwrt*KE2yeB>awSex$f@UuC8onm&D#BvFfwTQ?|vF zYgv?9%rc85&tjEZkbJAH0I@4<4v@<1DmS|;EN->cU5hNY*fxOM?$`vhdB?W-+~d>L zZ`JBIYVZ=HE1zSY&GFS=G_kfhwZ1j8v3<|GW8B=G+uFOoy+6ORZ`ys}&$8pT@7W#u vHs=GI>!EG!iF@PeGB_OQ{{;X5|NjF3Qavf!c7?DL00000Nd-