Merge pull request #2180 from Exiv2/main_issue2178

Fix out of bounds read in isValidBoxFileType()

src/jp2image_int.cpp

@@ -11,7 +11,7 @@ namespace Exiv2::Internal {
 
 bool isValidBoxFileType(const std::vector<uint8_t>& boxData) {
   // BR & MinV are obligatory (4 + 4 bytes). Afterwards we have N compatibility lists (of size 4)
-  if ((boxData.size() - 8u) % 4u != 0) {
+  if (boxData.size() < 8 || ((boxData.size() - 8u) % 4u) != 0) {
     return false;
   }
 

tests/regression_tests/test_regression_allfiles.py

@@ -89,6 +89,7 @@ def get_valid_files(data_dir):
         "issue_869_poc.png",
         "issue_960.poc.webp",
         "issue_2160_poc.jpg",
+        "issue_2178_poc.jp2",
         "issue_ghsa_583f_w9pm_99r2_poc.jp2",
         "issue_ghsa_7569_phvm_vwc2_poc.jp2",
         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",

unitTests/test_jp2image_int.cpp

@@ -58,6 +58,11 @@ TEST(Jp2_FileTypeBox, withInvalidBoxDataSizeIsInvalid) {
   ASSERT_FALSE(isValidBoxFileType(boxData));
 }
 
+TEST(Jp2_FileTypeBox, withSmallBoxDataSizeIsInvalid) {
+  std::vector<std::uint8_t> boxData(7);  // Minimum size is 8
+  ASSERT_FALSE(isValidBoxFileType(boxData));
+}
+
 TEST(Jp2_FileTypeBox, with2CLs_lastOneWithBrandValue_isValid) {
   std::vector<std::uint8_t> boxData(16);
   // The first 4 bytes correspond to the BR (Brand). It must have the value 'jp2\040'