From c0ecc2ae36f34462be98623deb85ba1747ae2175 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Mon, 13 May 2019 16:56:29 +0100 Subject: [PATCH] Avoid integer overflow. --- src/crwimage_int.cpp | 4 ++-- test/data/issue_843_poc.crw | Bin 0 -> 309 bytes tests/bugfixes/github/test_issue_843.py | 22 ++++++++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 test/data/issue_843_poc.crw create mode 100644 tests/bugfixes/github/test_issue_843.py diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp index c2fd5f3a..4080c078 100644 --- a/src/crwimage_int.cpp +++ b/src/crwimage_int.cpp @@ -281,7 +281,7 @@ namespace Exiv2 { if (size < 4) throw Error(kerCorruptedMetadata); uint32_t o = getULong(pData + size - 4, byteOrder); - if ( o+2 > size ) + if ( o > size-2 ) throw Error(kerCorruptedMetadata); uint16_t count = getUShort(pData + o, byteOrder); #ifdef DEBUG @@ -289,7 +289,7 @@ namespace Exiv2 { <<", " << count << " entries \n"; #endif o += 2; - if ( (o + (count * 10)) > size ) + if ( static_cast(count) * 10 > size-o ) throw Error(kerCorruptedMetadata); for (uint16_t i = 0; i < count; ++i) { diff --git a/test/data/issue_843_poc.crw b/test/data/issue_843_poc.crw new file mode 100644 index 0000000000000000000000000000000000000000..56628e2d7cc369376c6bba2c53eab2176078f365 GIT binary patch literal 309 zcmebDlwx3D@NjhuaCUYH0y06M9!xg;7hq^%;ACUtU}NRvVCUfC^!t79g7ui0wFmL~uo3B?E(tsfB?t0|R%{EC!GcknD-3xp4M{4t1c208re4 zfnfqO0}qhL48)8e6^v{Q%=;_)bMjIQ3{nhil@v-03Jmo1%gf94${839iqiEBEiEne z4Gav7%nXWB(hQ0#foue@aPssuFkmnMn&*cQMX-W_Oa%zADKSV(L&#udX=wq4|Dyr` Dtf4