Add bounds check on allocation size.

6 years ago · d3e69f6d2c
parent c0ecc2ae36
commit d3e69f6d2c
3 changed files with 40 additions and 3 deletions
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@ -625,8 +625,12 @@ namespace Exiv2 {
        const char *sp  = (char*) text.pData_+1;          // current byte (space pointer)
        const char *eot = (char*) text.pData_+text.size_; // end of text

+        if (sp >= eot) {
+            return DataBuf();
+        }
+
        // Look for newline
-        while (*sp != '\n' && sp < eot )
+        while (*sp != '\n')
        {
            sp++;
            if ( sp == eot )
@ -635,9 +639,12 @@ namespace Exiv2 {
            }
        }
        sp++ ; // step over '\n'
+        if (sp == eot) {
+            return DataBuf();
+        }

        // Look for length
-        while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
+        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
        {
            sp++;
            if (sp == eot )
@ -647,7 +654,7 @@ namespace Exiv2 {
        }

        const char* startOfLength = sp;
-        while ( ('0' <= *sp && *sp <= '9') && sp < eot)
+        while ('0' <= *sp && *sp <= '9')
        {
            sp++;
            if (sp == eot )
@ -656,8 +663,13 @@ namespace Exiv2 {
            }
        }
        sp++ ; // step over '\n'
+        if (sp == eot) {
+            return DataBuf();
+        }

        long length = (long) atol(startOfLength);
+        enforce(length >= 0, Exiv2::kerCorruptedMetadata);
+        enforce(length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata);

        // Allocate space
        if (length == 0)
@ -682,6 +694,7 @@ namespace Exiv2 {

        for (long i = 0; i < (long) nibbles; i++)
        {
+            enforce(sp < eot, Exiv2::kerCorruptedMetadata);
            while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
            {
                if (*sp == '\0')
@ -693,6 +706,7 @@ namespace Exiv2 {
                }

                sp++;
+                enforce(sp < eot, Exiv2::kerCorruptedMetadata);
            }

            if (i%2 == 0)
--- a/test/data/issue_845_poc.png
+++ b/test/data/issue_845_poc.png
--- a/tests/bugfixes/github/test_issue_845.py
+++ b/tests/bugfixes/github/test_issue_845.py
@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class LargeAllocationInPngChunk(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/845
+
+    An unchecked allocation size causes a std::bad_alloc to
+    be thrown.
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/845"
+
+    filename = path("$data_path/issue_845_poc.png")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""]
+    retval = [1]