From 8ff26931e31bb25d66c69846f47f3f5b6d9a32f1 Mon Sep 17 00:00:00 2001 From: Robin Mills Date: Mon, 22 Jan 2018 23:26:17 +0100 Subject: [PATCH 01/10] Do not use Image::printStructure() when reading images as this causes security issues. --- src/cr2image.cpp | 2 -- src/crwimage.cpp | 11 ++--------- src/orfimage.cpp | 2 -- src/rw2image.cpp | 2 -- src/tiffimage.cpp | 4 ---- 5 files changed, 2 insertions(+), 19 deletions(-) diff --git a/src/cr2image.cpp b/src/cr2image.cpp index d9f6b149..fcfff75b 100644 --- a/src/cr2image.cpp +++ b/src/cr2image.cpp @@ -102,8 +102,6 @@ namespace Exiv2 { throw Error(kerNotAnImage, "CR2"); } clearMetadata(); - std::ofstream devnull; - printStructure(devnull, kpsRecursive, 0); ByteOrder bo = Cr2Parser::decode(exifData_, iptcData_, xmpData_, diff --git a/src/crwimage.cpp b/src/crwimage.cpp index b7871468..d1124992 100644 --- a/src/crwimage.cpp +++ b/src/crwimage.cpp @@ -101,15 +101,8 @@ namespace Exiv2 { throw Error(kerNotACrwImage); } clearMetadata(); - // read all metadata into memory - // we should put this into clearMetadata(), however it breaks the test suite! - try { - std::ofstream devnull; - printStructure(devnull,kpsRecursive,0); - } catch (Exiv2::Error& /* e */) { - DataBuf file( (long) io().size()); - io_->read(file.pData_,file.size_); - } + DataBuf file( (long) io().size()); + io_->read(file.pData_,file.size_); CrwParser::decode(this, io_->mmap(), (uint32_t) io_->size()); diff --git a/src/orfimage.cpp b/src/orfimage.cpp index 3177e360..8a36a6bb 100644 --- a/src/orfimage.cpp +++ b/src/orfimage.cpp @@ -114,8 +114,6 @@ namespace Exiv2 { throw Error(kerNotAnImage, "ORF"); } clearMetadata(); - std::ofstream devnull; - printStructure(devnull, kpsRecursive, 0); ByteOrder bo = OrfParser::decode(exifData_, iptcData_, xmpData_, diff --git a/src/rw2image.cpp b/src/rw2image.cpp index ae489682..faf51261 100644 --- a/src/rw2image.cpp +++ b/src/rw2image.cpp @@ -125,8 +125,6 @@ namespace Exiv2 { throw Error(kerNotAnImage, "RW2"); } clearMetadata(); - std::ofstream devnull; - printStructure(devnull, kpsRecursive, 0); ByteOrder bo = Rw2Parser::decode(exifData_, iptcData_, xmpData_, diff --git a/src/tiffimage.cpp b/src/tiffimage.cpp index 529ba4a3..8731449c 100644 --- a/src/tiffimage.cpp +++ b/src/tiffimage.cpp @@ -180,10 +180,6 @@ namespace Exiv2 { } clearMetadata(); - // recursively print the structure to /dev/null to ensure all metadata is in memory - // must be recursive to handle NEFs which stores the raw image in a subIFDs - std::ofstream devnull; - printStructure(devnull,kpsRecursive); ByteOrder bo = TiffParser::decode(exifData_, iptcData_, xmpData_, From afb98cbc6e288dc8ea75f3394a347fb9b37abc55 Mon Sep 17 00:00:00 2001 From: Robin Mills Date: Mon, 22 Jan 2018 23:27:08 +0100 Subject: [PATCH 02/10] Allocate correct amount of memory for the ICC profile --- src/tiffimage.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tiffimage.cpp b/src/tiffimage.cpp index 8731449c..a69c7afd 100644 --- a/src/tiffimage.cpp +++ b/src/tiffimage.cpp @@ -191,7 +191,7 @@ namespace Exiv2 { Exiv2::ExifKey key("Exif.Image.InterColorProfile"); Exiv2::ExifData::iterator pos = exifData_.findKey(key); if ( pos != exifData_.end() ) { - iccProfile_.alloc(pos->count()); + iccProfile_.alloc(pos->count()*pos->typeSize()); pos->copy(iccProfile_.pData_,bo); } From 75415693d864422b9d88b71bc594faaade3001dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Sat, 9 Jun 2018 23:41:44 +0200 Subject: [PATCH 03/10] [testsuite] Update testsuite after printStructure deletion --- .../bugfixes/github/test_CVE_2017_1000127.py | 40 +++++++++++--- tests/bugfixes/github/test_CVE_2017_11336.py | 38 +++++++++++-- tests/bugfixes/github/test_CVE_2017_11337.py | 20 ++++--- tests/bugfixes/github/test_CVE_2017_11338.py | 21 +++++--- tests/bugfixes/github/test_CVE_2017_11339.py | 38 +++++++++++-- tests/bugfixes/github/test_CVE_2017_11340.py | 39 ++++++++++++-- tests/bugfixes/github/test_CVE_2017_11553.py | 44 ++++++++++++--- tests/bugfixes/github/test_CVE_2017_11591.py | 40 +++++++++++--- tests/bugfixes/github/test_CVE_2017_11592.py | 43 ++++++++++++--- tests/bugfixes/github/test_CVE_2017_11683.py | 41 +++++++++++--- tests/bugfixes/github/test_CVE_2017_12955.py | 23 ++++++-- tests/bugfixes/github/test_CVE_2017_12956.py | 43 ++++++++++++--- tests/bugfixes/github/test_CVE_2017_12957.py | 44 ++++++++++++--- tests/bugfixes/github/test_CVE_2017_14857.py | 54 ++++++++++++++++--- tests/bugfixes/github/test_CVE_2017_14858.py | 46 +++++++++++++--- tests/bugfixes/github/test_CVE_2017_14861.py | 45 +++++++++++++--- tests/bugfixes/github/test_CVE_2017_14863.py | 42 ++++++++++++--- tests/bugfixes/github/test_CVE_2017_14865.py | 41 +++++++++++--- tests/bugfixes/github/test_CVE_2017_14866.py | 40 +++++++++++--- tests/bugfixes/github/test_CVE_2017_9953.py | 18 ++++--- tests/bugfixes/github/test_issue_159.py | 38 +++++++++++-- tests/suite.conf | 1 + 22 files changed, 676 insertions(+), 123 deletions(-) diff --git a/tests/bugfixes/github/test_CVE_2017_1000127.py b/tests/bugfixes/github/test_CVE_2017_1000127.py index bdb5642b..a8d9f5ea 100644 --- a/tests/bugfixes/github/test_CVE_2017_1000127.py +++ b/tests/bugfixes/github/test_CVE_2017_1000127.py @@ -8,9 +8,37 @@ class TestPoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/176" filename = "$data_path/heap-oob-write.tiff" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 310 Bytes +MIME type : image/tiff +Image size : 200 x 130 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : 200 x 130 +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = ["ignored"] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_CVE_2017_11336.py b/tests/bugfixes/github/test_CVE_2017_11336.py index 91466757..943cb8ff 100644 --- a/tests/bugfixes/github/test_CVE_2017_11336.py +++ b/tests/bugfixes/github/test_CVE_2017_11336.py @@ -8,10 +8,38 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/49" filename = "$data_path/POC2" - commands = ["$exiv2 " + filename] - retval = [1] - stdout = [""] + commands = ["$exiv2 $filename"] + retval = [0] + stdout = ["""File name : $filename +File size : 60 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] stderr = [ - """$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc + """Error: Directory Image, entry 0x0000 has invalid size 4294967295*8; skipping entry. +Error: Directory Image, entry 0x0000 has invalid size 1229524224*4; skipping entry. +Error: Directory Image, entry 0x0000 has invalid size 1229520896*8; skipping entry. """] diff --git a/tests/bugfixes/github/test_CVE_2017_11337.py b/tests/bugfixes/github/test_CVE_2017_11337.py index dc3cfca5..0e646ccf 100644 --- a/tests/bugfixes/github/test_CVE_2017_11337.py +++ b/tests/bugfixes/github/test_CVE_2017_11337.py @@ -8,9 +8,17 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/50" filename = "$data_path/POC3" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 28 Bytes +MIME type : image/tiff +Image size : 0 x 0 +""" + ] + stderr = [ + """Error: Directory Image, entry 0x0144 has invalid size 4294967295*8; skipping entry. +$filename: No Exif data found in the file +""" + ] + retval = ["$no_exif_data_found_retval"] diff --git a/tests/bugfixes/github/test_CVE_2017_11338.py b/tests/bugfixes/github/test_CVE_2017_11338.py index 9b6d1153..96b5b86c 100644 --- a/tests/bugfixes/github/test_CVE_2017_11338.py +++ b/tests/bugfixes/github/test_CVE_2017_11338.py @@ -8,9 +8,18 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/51" filename = "$data_path/POC4" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 35 Bytes +MIME type : image/x-panasonic-rw2 +Image size : 0 x 0 +""" + ] + stderr = [ + """Warning: Directory PanasonicRaw has an unexpected next pointer; ignored. +Error: Directory PanasonicRaw, entry 0x002e has invalid size 4294967295*1; skipping entry. +$filename: No Exif data found in the file +""" + ] + retval = ["$no_exif_data_found_retval"] diff --git a/tests/bugfixes/github/test_CVE_2017_11339.py b/tests/bugfixes/github/test_CVE_2017_11339.py index 20fdd682..de2fa373 100644 --- a/tests/bugfixes/github/test_CVE_2017_11339.py +++ b/tests/bugfixes/github/test_CVE_2017_11339.py @@ -8,9 +8,37 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/52" filename = "$data_path/POC5" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc + commands = ["$exiv2 $filename"] + stdout = ["""File name : $filename +File size : 60 Bytes +MIME type : image/x-olympus-orf +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + """] - retval = [1] + stderr = [ + """Error: Directory Image, entry 0xcf45 has invalid size 4294967292*4; skipping entry. +Error: Offset of directory Image, entry 0x8000 is out of bounds: Offset = 0x0012ff00; truncating the entry +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_11340.py b/tests/bugfixes/github/test_CVE_2017_11340.py index 497b7871..d550d55e 100644 --- a/tests/bugfixes/github/test_CVE_2017_11340.py +++ b/tests/bugfixes/github/test_CVE_2017_11340.py @@ -8,9 +8,38 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/53" filename = "$data_path/POC6" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc + commands = ["$exiv2 $filename"] + stdout = ["""File name : $filename +File size : 60 Bytes +MIME type : image/x-olympus-orf +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + """] - retval = [1] + stderr = [ + """Error: Directory Image, entry 0x0000 has invalid size 4294967295*1; skipping entry. +Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry +Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x7e000000; truncating the entry +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_11553.py b/tests/bugfixes/github/test_CVE_2017_11553.py index 17d56e87..6d1a5711 100644 --- a/tests/bugfixes/github/test_CVE_2017_11553.py +++ b/tests/bugfixes/github/test_CVE_2017_11553.py @@ -8,9 +8,41 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/54" filename = "$data_path/POC7" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 632 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Directory Image, entry 0x0000 has invalid size 1229520896*8; skipping entry. +Error: Directory Image, entry 0x0000 has invalid size 1447624704*8; skipping entry. +Error: Directory Image, entry 0x0111 has invalid size 4294967295*2; skipping entry. +Warning: Directory Image, entry 0x0111: Size or data offset value not set, ignoring them. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_11591.py b/tests/bugfixes/github/test_CVE_2017_11591.py index 83ca8d9f..b701a666 100644 --- a/tests/bugfixes/github/test_CVE_2017_11591.py +++ b/tests/bugfixes/github/test_CVE_2017_11591.py @@ -8,9 +8,37 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/55" filename = "$data_path/POC8" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 2044 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = ["ignored"] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_CVE_2017_11592.py b/tests/bugfixes/github/test_CVE_2017_11592.py index 49273031..bd9d9c1a 100644 --- a/tests/bugfixes/github/test_CVE_2017_11592.py +++ b/tests/bugfixes/github/test_CVE_2017_11592.py @@ -8,9 +8,40 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/56" filename = "$data_path/POC9" - commands = ["$exiv2 " + filename] - stdout = [""""""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 523 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Upper boundary of data for directory Image, entry 0x02bc is out of bounds: Offset = 0x00000001, size = 5852, exceeds buffer size by 5330 Bytes; truncating the entry +Error: Directory Thumbnail: Next pointer is out of bounds; ignored. +Error: Directory Thumbnail, entry 0x02bc has invalid size 4294967295*2; skipping entry. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_11683.py b/tests/bugfixes/github/test_CVE_2017_11683.py index e00a8be3..0b6bf71a 100644 --- a/tests/bugfixes/github/test_CVE_2017_11683.py +++ b/tests/bugfixes/github/test_CVE_2017_11683.py @@ -8,10 +8,37 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/57" filename = "$data_path/POC" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$kerInvalidTypeValue: 0 -$exiv2_exception_message """ + filename + """: -$kerInvalidTypeValue -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 712 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = ["ignored"] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_CVE_2017_12955.py b/tests/bugfixes/github/test_CVE_2017_12955.py index 80e42013..2d945fa4 100644 --- a/tests/bugfixes/github/test_CVE_2017_12955.py +++ b/tests/bugfixes/github/test_CVE_2017_12955.py @@ -8,9 +8,22 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/58" filename = "$data_path/POC11" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 100 Bytes +MIME type : image/pgf +Image size : 131345 x 65536 +""" + ] + stderr = ["""Error: Directory Image: Next pointer is out of bounds; ignored. +Error: Directory Image, entry 0x0000 has invalid size 3402235904*1; skipping entry. +Error: Directory Image, entry 0x014a has invalid size 4294967295*1; skipping entry. +Warning: Directory Image, entry 0x014a doesn't look like a sub-IFD. +Warning: Directory Image, entry 0x4720 has unknown Exif (TIFF) type 60362; setting type size 1. +Error: Directory Image, entry 0x4720 has invalid size 1330792777*1; skipping entry. +Warning: Directory Image, entry 0x0001 has unknown Exif (TIFF) type 0; setting type size 1. +Error: Directory Image, entry 0x0001 has invalid size 3401632458*1; skipping entry. +$filename: No Exif data found in the file """] - retval = [1] + retval = ["$no_exif_data_found_retval"] diff --git a/tests/bugfixes/github/test_CVE_2017_12956.py b/tests/bugfixes/github/test_CVE_2017_12956.py index 5a956ea6..779a89ba 100644 --- a/tests/bugfixes/github/test_CVE_2017_12956.py +++ b/tests/bugfixes/github/test_CVE_2017_12956.py @@ -8,9 +8,40 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/59" filename = "$data_path/POC12" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 68 Bytes +MIME type : image/x-olympus-orf +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Offset of directory Image, entry 0x0111 is out of bounds: Offset = 0x00001b15; truncating the entry +Warning: Directory Image, entry 0x0111: Size and data offset entries have different number of components, ignoring them. +Error: Directory Image, entry 0x010f has invalid size 2147483647*2; skipping entry. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_12957.py b/tests/bugfixes/github/test_CVE_2017_12957.py index 1b8e4a01..98e1b27a 100644 --- a/tests/bugfixes/github/test_CVE_2017_12957.py +++ b/tests/bugfixes/github/test_CVE_2017_12957.py @@ -8,9 +8,41 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/60" filename = "$data_path/POC13" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 60 Bytes +MIME type : image/x-olympus-orf +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Offset of directory Image, entry 0x0000 is out of bounds: Offset = 0x7e000000; truncating the entry +Error: Offset of directory Image, entry 0x0117 is out of bounds: Offset = 0x4f524900; truncating the entry +Error: Directory Image, entry 0x0004 has invalid size 4294967289*2; skipping entry. +Error: Offset of directory Image, entry 0x0100 is out of bounds: Offset = 0x0012ff00; truncating the entry +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_14857.py b/tests/bugfixes/github/test_CVE_2017_14857.py index 84a07c42..b70d18dd 100644 --- a/tests/bugfixes/github/test_CVE_2017_14857.py +++ b/tests/bugfixes/github/test_CVE_2017_14857.py @@ -8,10 +8,52 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/76" filename = "$data_path/010_bad_free" - commands = ["$exiv2 " + filename] - retval = [1] - stdout = [""] + commands = ["$exiv2 $filename"] + retval = [0] + stdout = [ + """File name : $filename +File size : 20274 Bytes +MIME type : image/tiff +Image size : 12336 x 12336 +Camera make : 00000000 +Camera model : 000000000000 +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : 12336 x 12336 +White balance : +Thumbnail : None +Copyright : 00000 +Exif comment : + +""" + ] stderr = [ - """$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] + """Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 1 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 2 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 3 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 4 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 5 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 6 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 7 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 8 is outside of the data area; ignored. +Warning: Directory Image, entry 0x0111: Strip 9 is outside of the data area; ignored. +Error: Offset of directory Image, entry 0x0132 is out of bounds: Offset = 0x30003030; truncating the entry +Error: Directory Image, entry 0x8649 has invalid size 4294967295*1; skipping entry. +Error: Directory Image, entry 0x8769 Sub-IFD pointer 0 is out of bounds; ignoring it. +Error: XMP Toolkit error 201: XML parsing failure +Warning: Failed to decode XMP metadata. +""" + ] diff --git a/tests/bugfixes/github/test_CVE_2017_14858.py b/tests/bugfixes/github/test_CVE_2017_14858.py index 09572ee6..d08bd805 100644 --- a/tests/bugfixes/github/test_CVE_2017_14858.py +++ b/tests/bugfixes/github/test_CVE_2017_14858.py @@ -8,9 +8,43 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/138" filename = "$data_path/007-heap-buffer-over" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 331696 Bytes +MIME type : image/tiff +Image size : 0 x 12336 +Camera make : 0000 +Camera model : 0000000000000 +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Offset of directory Image, entry 0x0100 is out of bounds: Offset = 0x30303030; truncating the entry +Warning: Directory Image, entry 0x0111: Strip 17 is outside of the data area; ignored. +Error: Directory Photo with 8224 entries considered invalid; not read. +Warning: Removing 913 characters from the beginning of the XMP packet +Error: XMP Toolkit error 201: XML parsing failure +Warning: Failed to decode XMP metadata. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_14861.py b/tests/bugfixes/github/test_CVE_2017_14861.py index 5e4cf362..ee98780e 100644 --- a/tests/bugfixes/github/test_CVE_2017_14861.py +++ b/tests/bugfixes/github/test_CVE_2017_14861.py @@ -11,9 +11,42 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): ] filename = "$data_path/009-stack-over" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = ["""File name : $filename +File size : 340 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Error: Directory Image: Next pointer is out of bounds; ignored. +Error: Offset of directory Image, entry 0x00fe is out of bounds: Offset = 0x00000000; truncating the entry +Error: Directory Image, entry 0x0100 has invalid size 1935897193*2; skipping entry. +Warning: Directory Image, entry 0x303e has unknown Exif (TIFF) type 12320; setting type size 1. +Error: Offset of directory Image, entry 0x0116 is out of bounds: Offset = 0x0011302a; truncating the entry +Warning: Directory Image, entry 0x0111: Strip 0 is outside of the data area; ignored. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_14863.py b/tests/bugfixes/github/test_CVE_2017_14863.py index 78b4c101..ff95e2ef 100644 --- a/tests/bugfixes/github/test_CVE_2017_14863.py +++ b/tests/bugfixes/github/test_CVE_2017_14863.py @@ -8,9 +8,39 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/132" filename = "$data_path/01-Null-exiv2-poc" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 24550 Bytes +MIME type : image/tiff +Image size : 12336 x 12336 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : 12336 x 12336 +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [ + """Warning: Directory Image, entry 0x0144: Strip 0 is outside of the data area; ignored. +Error: Directory Image, entry 0x87b1 has invalid size 4294967295*1; skipping entry. +""" + ] + retval = [0] diff --git a/tests/bugfixes/github/test_CVE_2017_14865.py b/tests/bugfixes/github/test_CVE_2017_14865.py index 9392c051..6e070690 100644 --- a/tests/bugfixes/github/test_CVE_2017_14865.py +++ b/tests/bugfixes/github/test_CVE_2017_14865.py @@ -8,10 +8,37 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/134" filename = "$data_path/004-heap-buffer-over" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$kerInvalidTypeValue: 250 -$exiv2_exception_message """ + filename + """: -$kerInvalidTypeValue -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 352222 Bytes +MIME type : image/tiff +Image size : 17 x 12288 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : 17 x 12288 +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = ["ignored"] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_CVE_2017_14866.py b/tests/bugfixes/github/test_CVE_2017_14866.py index da4fdb81..09ab89d5 100644 --- a/tests/bugfixes/github/test_CVE_2017_14866.py +++ b/tests/bugfixes/github/test_CVE_2017_14866.py @@ -8,9 +8,37 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/140" filename = "$data_path/006-heap-buffer-over" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 309965 Bytes +MIME type : image/tiff +Image size : 17 x 12305 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : 17 x 12305 +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = ["ignored"] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_CVE_2017_9953.py b/tests/bugfixes/github/test_CVE_2017_9953.py index 22af56d3..607d87ad 100644 --- a/tests/bugfixes/github/test_CVE_2017_9953.py +++ b/tests/bugfixes/github/test_CVE_2017_9953.py @@ -8,9 +8,15 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): url = "https://github.com/Exiv2/exiv2/issues/144" filename = "$data_path/POC1" - commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerInvalidMalloc -"""] - retval = [1] + commands = ["$exiv2 $filename"] + stdout = [ + """File name : $filename +File size : 26 Bytes +MIME type : image/tiff +Image size : 0 x 0 +""" + ] + stderr = [""] + retval = ["$no_exif_data_found_retval"] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors diff --git a/tests/bugfixes/github/test_issue_159.py b/tests/bugfixes/github/test_issue_159.py index 820d32ab..72532550 100644 --- a/tests/bugfixes/github/test_issue_159.py +++ b/tests/bugfixes/github/test_issue_159.py @@ -12,11 +12,39 @@ class TestFirstPoC(metaclass=system_tests.CaseMeta): filename = "$data_path/printStructure" commands = ["$exiv2 " + filename] - stdout = [""] - stderr = ["""$exiv2_exception_message """ + filename + """: -$kerCorruptedMetadata -"""] - retval = [1] + stdout = [ + """File name : $filename +File size : 12357 Bytes +MIME type : image/tiff +Image size : 0 x 0 +Camera make : +Camera model : +Image timestamp : +Image number : +Exposure time : +Aperture : +Exposure bias : +Flash : +Flash bias : +Focal length : +Subject distance: +ISO speed : +Exposure mode : +Metering mode : +Macro mode : +Image quality : +Exif Resolution : +White balance : +Thumbnail : None +Copyright : +Exif comment : + +""" + ] + stderr = [""] + retval = [0] + + compare_stderr = system_tests.check_no_ASAN_UBSAN_errors # todo: diff --git a/tests/suite.conf b/tests/suite.conf index afee3fe2..36849618 100644 --- a/tests/suite.conf +++ b/tests/suite.conf @@ -30,3 +30,4 @@ exiv2_exception_message: Exiv2 exception in print action for file exiv2_overflow_exception_message: std::overflow_error exception in print action for file exception_in_extract: Exiv2 exception in extract action for file uncaught_exception: Uncaught exception: +no_exif_data_found_retval: 253 From 4090ca475f10490a7560bb56668efa5f771f9956 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Wed, 1 Aug 2018 00:19:14 +0200 Subject: [PATCH 04/10] [testsuite] disable bugfixes-test.sh --- test/Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/Makefile b/test/Makefile index 7216bdcd..c0811fe6 100644 --- a/test/Makefile +++ b/test/Makefile @@ -62,7 +62,6 @@ SVN = svn://dev.exiv2.org/svn/testdata/trunk ## # Add test drivers to this list TESTS = addmoddel.sh \ - bugfixes-test.sh \ conversions.sh \ exifdata-test.sh \ exiv2-test.sh \ @@ -171,4 +170,4 @@ maintainer-clean: distclean rm -rf $(top_srcdir)/data/video $(top_srcdir)/test/data/eps # That's all Folks! -## \ No newline at end of file +## From 03799c75e11dc13c7599b585dffc04714b73ee85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 31 Aug 2018 16:43:17 +0200 Subject: [PATCH 05/10] [testsuite] Add support for binary output to check_no_ASAN_UBSAN_errors --- tests/system_tests.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tests/system_tests.py b/tests/system_tests.py index be149c43..701b2cbb 100644 --- a/tests/system_tests.py +++ b/tests/system_tests.py @@ -927,6 +927,21 @@ def check_no_ASAN_UBSAN_errors(self, i, command, got_stderr, expected_stderr): It will not complain in all other cases, especially when expected_stderr and got_stderr do not match: >>> T.compare_stderr(0, "", "some output", "other output") + + This function also supports binary output: + >>> ASAN_ERROR = bytes("SUMMARY: AddressSanitizer: heap-buffer-overflow", encoding='ascii') + >>> T.compare_stderr(0, "", ASAN_ERROR, "other output") + Traceback (most recent call last): + .. + AssertionError: b'AddressSanitizer' unexpectedly found in b'SUMMARY: AddressSanitizer: heap-buffer-overflow' """ - self.assertNotIn("runtime error", got_stderr) - self.assertNotIn("AddressSanitizer", got_stderr) + UBSAN_MSG = "runtime error" + ASAN_MSG = "AddressSanitizer" + + if isinstance(got_stderr, bytes): + self.assertNotIn(UBSAN_MSG.encode('ascii'), got_stderr) + self.assertNotIn(ASAN_MSG.encode('ascii'), got_stderr) + return + + self.assertNotIn(UBSAN_MSG, got_stderr) + self.assertNotIn(ASAN_MSG, got_stderr) From b3199a072073ac6292e5bbbd5cce2167f1932ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 3 Sep 2018 21:14:16 +0200 Subject: [PATCH 06/10] Fix division by zero in BigTiffImage::printIFD This fixes #262 --- src/bigtiffimage.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index d80e2c51..26165231 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -251,8 +251,12 @@ namespace Exiv2 // size * count > std::numeric_limits::max() // => // size > std::numeric_limits::max() / count - if (size > std::numeric_limits::max() / count) - throw Error(kerInvalidMalloc); // we got number bigger than 2^64 + // (don't perform that check when count == 0 => will cause a division by zero exception) + if (count != 0) { + if (size > std::numeric_limits::max() / count) { + throw Error(kerInvalidMalloc); // we got number bigger than 2^64 + } + } // more than we can handle if (size * count > std::numeric_limits::max() - pad) From ecf955812d6b077e7d9fcd6e4f72d48688ae6e60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 3 Sep 2018 21:15:32 +0200 Subject: [PATCH 07/10] Replace reachable assertions with enforce in BigTiffImage::readData --- src/bigtiffimage.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index 26165231..2672ba07 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -7,6 +7,7 @@ #include "exif.hpp" #include "error.hpp" #include "image_int.hpp" +#include "enforce.hpp" namespace Exiv2 @@ -411,7 +412,7 @@ namespace Exiv2 uint64_t readData(int size) const { const DataBuf data = Image::io().read(size); - assert(data.size_ != 0); + enforce(data.size_ != 0, kerCorruptedMetadata); uint64_t result = 0; @@ -424,7 +425,7 @@ namespace Exiv2 else if (size == 8) result = byteSwap8(data, 0, doSwap_); else - assert(!"unexpected size"); + throw Exiv2::Error(kerCorruptedMetadata); return result; } From 67ec90bdabf58f62a4719feb3f1350f84c4f3b6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 3 Sep 2018 21:16:02 +0200 Subject: [PATCH 08/10] Fix switch value in BigTiffImage::readData This function extracts a 2, 4 or 8 byte integer from the image and swaps it according to the current setting. However, it was implicitly assuming, that it reads the same amount from the image is is requested. If that is not the case, e.g. if 8 bytes are requested but only 4 are read => result is created via byteSwap8() which reads 8 bytes !but 4 of those are uninitialized! Using the actually read size fixes this problem. --- src/bigtiffimage.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp index 2672ba07..e3468bdc 100644 --- a/src/bigtiffimage.cpp +++ b/src/bigtiffimage.cpp @@ -416,13 +416,13 @@ namespace Exiv2 uint64_t result = 0; - if (size == 1) - {} - else if (size == 2) + if (data.size_ == 1) + {} + else if (data.size_ == 2) result = byteSwap2(data, 0, doSwap_); - else if (size == 4) + else if (data.size_ == 4) result = byteSwap4(data, 0, doSwap_); - else if (size == 8) + else if (data.size_ == 8) result = byteSwap8(data, 0, doSwap_); else throw Exiv2::Error(kerCorruptedMetadata); From 2b74ad4feb478781dffaefc81af8c7e80e50cb90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= Date: Mon, 10 Sep 2018 13:05:09 +0200 Subject: [PATCH 09/10] Default initialyze DataBuf::pData_ so that valgrind does not complain --- include/exiv2/types.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/exiv2/types.hpp b/include/exiv2/types.hpp index f68303f6..56533a36 100644 --- a/include/exiv2/types.hpp +++ b/include/exiv2/types.hpp @@ -211,7 +211,7 @@ namespace Exiv2 { //! Default constructor DataBuf() : pData_(0), size_(0) {} //! Constructor with an initial buffer size - explicit DataBuf(long size) : pData_(new byte[size]), size_(size) {} + explicit DataBuf(long size) : pData_(new byte[size]()), size_(size) {} //! Constructor, copies an existing buffer DataBuf(const byte* pData, long size); /*! From 19bb57ff251a83f30e36f2b158652fcb831eeb73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 31 Aug 2018 00:33:37 +0200 Subject: [PATCH 10/10] Add reproducer for #262 to the test suite --- test/data/7-printIFD-divbyzero-1 | Bin 0 -> 24 bytes tests/bugfixes/github/test_issue_262.py | 25 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 test/data/7-printIFD-divbyzero-1 create mode 100644 tests/bugfixes/github/test_issue_262.py diff --git a/test/data/7-printIFD-divbyzero-1 b/test/data/7-printIFD-divbyzero-1 new file mode 100644 index 0000000000000000000000000000000000000000..3a095024df6a14fd21814c3766ab17f5005a1f91 GIT binary patch literal 24 ScmebD)MnsdU;twv1*ZWLkpR{J literal 0 HcmV?d00001 diff --git a/tests/bugfixes/github/test_issue_262.py b/tests/bugfixes/github/test_issue_262.py new file mode 100644 index 00000000..eadfd91c --- /dev/null +++ b/tests/bugfixes/github/test_issue_262.py @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- + +import system_tests + + +class DivByZeroInPrintIFD(metaclass=system_tests.CaseMeta): + + url = "https://github.com/Exiv2/exiv2/issues/262" + + filename = system_tests.path( + "$data_path/7-printIFD-divbyzero-1" + ) + commands = ["$exiv2 -pX $filename"] + stdout = [ + """STRUCTURE OF BIGTIFF FILE $filename + address | tag | type | count | offset | value + 10 | 0x0008 FlashSetting | unknown | 0 | | +""" + ] + stderr = [ + """$exiv2_exception_message $filename: +$kerCorruptedMetadata +""" + ] + retval = [1]