From b51b6fc52da6005fe7a6095ed85810d41cdcf9db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 25 May 2018 00:45:42 +0200 Subject: [PATCH] Prevent an out of bounds read in strstr in JpegBase::printStructure The xmp byte array is not necessarily null terminated => strstr can read beyond the bounds of the allocated array then. Therefore use string_from_unterminated to remedy this issue. Also replace xmp with a std::vector, as stl functions can throw and we don't want a memory leak. --- src/jpgimage.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp index d8757bef..20cc2a20 100644 --- a/src/jpgimage.cpp +++ b/src/jpgimage.cpp @@ -658,8 +658,8 @@ namespace Exiv2 { // extract XMP if (size > 0) { io_->seek(-bufRead, BasicIo::cur); - byte* xmp = new byte[size + 1]; - io_->read(xmp, size); + std::vector xmp(size + 1); + io_->read(xmp.data(), size); int start = 0; // http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/XMPSpecificationPart3.pdf @@ -670,10 +670,11 @@ namespace Exiv2 { // and dumping the XMP in a post read operation similar to kpsIptcErase // for the moment, dumping 'on the fly' is working fine if (!bExtXMP) { - while (xmp[start]) + while (xmp.at(start)) start++; start++; - if (::strstr((char*)xmp + start, "HasExtendedXMP")) { + std::string xmp_from_start = string_from_unterminated((char*)&xmp.at(start), size - start); + if (xmp_from_start.find("HasExtendedXMP", start) != xmp_from_start.npos) { start = size; // ignore this packet, we'll get on the next time around bExtXMP = true; } @@ -681,8 +682,7 @@ namespace Exiv2 { start = 2 + 35 + 32 + 4 + 4; // Adobe Spec, p19 } - out.write((const char*)(xmp + start), size - start); - delete[] xmp; + out.write((const char*)(&xmp.at(start)), size - start); bufRead = size; done = !bExtXMP; }