Fix integer overflow in WebPImage::getHeaderOffset (#962)

Fix integer overflow in WebPImage::getHeaderOffset
6 years ago · a51980898b
parent 82b9e5e81c e925bc5add
commit a51980898b
3 changed files with 25 additions and 2 deletions
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@ -827,8 +827,9 @@ namespace Exiv2 {
        }
    }

-    long WebPImage::getHeaderOffset(byte *data, long data_size,
-                                    byte *header, long header_size) {
+    long WebPImage::getHeaderOffset(byte* data, long data_size, byte* header, long header_size)
+    {
+        if (data_size < header_size) { return -1; }
        long pos = -1;
        for (long i=0; i < data_size - header_size; i++) {
            if (memcmp(header, &data[i], header_size) == 0) {
--- a/test/data/issue_960.poc.webp
+++ b/test/data/issue_960.poc.webp
--- a/tests/bugfixes/github/test_issue_960.py
+++ b/tests/bugfixes/github/test_issue_960.py
@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class WebPImageGetHeaderOffset(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/pull/960
+    """
+    url = "https://github.com/Exiv2/exiv2/pull/960"
+
+    filename1 = path("$data_path/issue_960.poc.webp")
+    commands = ["$exiv2 $filename1"]
+    stdout = [""]
+    stderr = [
+"""Warning: Failed to decode Exif metadata.
+Exiv2 exception in print action for file $filename1:
+$kerCorruptedMetadata
+"""
+]
+    retval = [1]