From d3e69f6d2c60bd06bf1c0564b919989ecfc89ec1 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Mon, 13 May 2019 14:57:09 +0100 Subject: [PATCH] Add bounds check on allocation size. --- src/pngchunk_int.cpp | 20 +++++++++++++++++--- test/data/issue_845_poc.png | Bin 0 -> 13183 bytes tests/bugfixes/github/test_issue_845.py | 23 +++++++++++++++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 test/data/issue_845_poc.png create mode 100644 tests/bugfixes/github/test_issue_845.py diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp index bf389ee1..64a370e5 100644 --- a/src/pngchunk_int.cpp +++ b/src/pngchunk_int.cpp @@ -625,8 +625,12 @@ namespace Exiv2 { const char *sp = (char*) text.pData_+1; // current byte (space pointer) const char *eot = (char*) text.pData_+text.size_; // end of text + if (sp >= eot) { + return DataBuf(); + } + // Look for newline - while (*sp != '\n' && sp < eot ) + while (*sp != '\n') { sp++; if ( sp == eot ) @@ -635,9 +639,12 @@ namespace Exiv2 { } } sp++ ; // step over '\n' + if (sp == eot) { + return DataBuf(); + } // Look for length - while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot ) + while (*sp == '\0' || *sp == ' ' || *sp == '\n') { sp++; if (sp == eot ) @@ -647,7 +654,7 @@ namespace Exiv2 { } const char* startOfLength = sp; - while ( ('0' <= *sp && *sp <= '9') && sp < eot) + while ('0' <= *sp && *sp <= '9') { sp++; if (sp == eot ) @@ -656,8 +663,13 @@ namespace Exiv2 { } } sp++ ; // step over '\n' + if (sp == eot) { + return DataBuf(); + } long length = (long) atol(startOfLength); + enforce(length >= 0, Exiv2::kerCorruptedMetadata); + enforce(length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata); // Allocate space if (length == 0) @@ -682,6 +694,7 @@ namespace Exiv2 { for (long i = 0; i < (long) nibbles; i++) { + enforce(sp < eot, Exiv2::kerCorruptedMetadata); while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') { if (*sp == '\0') @@ -693,6 +706,7 @@ namespace Exiv2 { } sp++; + enforce(sp < eot, Exiv2::kerCorruptedMetadata); } if (i%2 == 0) diff --git a/test/data/issue_845_poc.png b/test/data/issue_845_poc.png new file mode 100644 index 0000000000000000000000000000000000000000..9f8fe1e9d1ca070cbecaaa7306182b9c9ff3b2a6 GIT binary patch literal 13183 zcmeHN32cZduBZiOE2RcwnG3luQE&%XEMYZ8MZ%X=w>VC#7@-0+X^#Nz`-yB7Mt>64JCo zXMF#>|IWMb-uv#m@BR0m-q-Cd%}Wb%XXFx5!Bxu|T9KC_m1JiUW&U$P)es7|`Btxw zwt9N4p>VL%*CSh_{UO;Z_xU^PnZ3Kro=*t&J;IS*sd|yq@r;sHYwNdOa&uROYfvc2}9xS#EccOLA7Z zrE<5+Wpz5;71izviJCm&j-Ylo*1O!5)$Ynlx`ZCQDMRt%D7v>x!yf_Lc9;~t3Es@n zuoqa;Fht0;!>q_KpLS-End@EUlHQx+5Hf2$GsBQ@k18XGusxKk=oW)74yis^fz29! zE^yY6>O%(X=4jXgoU6%8kl8krMT;*Yss`RUBoZ=`B%*r^c*uZhSo6~kmJgu8wECLcpI=8*arU1z?qO@?_UMZ0xkxA3pfYZ3j7Ih0cs#fg-8}? zbK95<`mX@S#Q};0tvo zng!*Bz}dh&^9CHq7u%%Az`<=i=by@TcWF7~esPP}e%$-zcRz~zy;3<%K6^)$$ zo(evCK+jo;iZ%QW@N~$anoa;)HU7j|M6-Z1W)RtdF9FVh%wpg<%m?lSW@<-_l)xw@ zzGYG@CTOMD_6g_-OPIjjOQpC3vZ|9qk%=j!i9;q9V;tKaM<|z4Tk!C4U8VtGm?T)) zr?5Cu*|_c}`dU#&S#94+Pf>>=^Oa&*x2dg&@wM%&vyEJ5v|dXICl(9$fuL8Z(2ufMKF-yp*fQ+&BH&xu<2RiP2Pt|zvm zC$2WOb&FPJ9w(kzAXA2EWQ0L3-6HVqxltdM<4?G@; zl&&KXQ|P#Wu{U?8@5%pO7K>wQO7=Iok9t{s3RN4Q9(>|2oVaA{sFBYPfKEof&g1-S z_}p$PxzqV$Z+>a)h>CZuL0CN7sF?Zy%p!o}OAJS;7Bg`8SRz1pb{FTzBr9i?`< znzkdUxSekQ*Pl=F#a8i36Zz`J^tuiX?K$-k?!~86Ok~ByprQaW~IA^eCO~Z+$4N`e^mCMDO#c>*sz<314Bft@O4C@%L znaF505^wf+ugYa6(SXecoMFJ3!2CXDJ51SzI_5ov#6L$wY?x4`P_Y3|H{cltTxh@< z20Yb(Ee4zg%quYaqPN418TSfYj?-z@R^CJGM1ncW#77rwbmz@{7d7s5@-e)2idoOwsqkF!R^hcjb&V*ZyIkDAuytj`(bA*U=MTi|)H zJ99(f_Y3Q?-w@xYqcjum=V5V|_=Nd}%;)nC=2eNiGoLKjSMXuhe(_!UBUxz;Z4}$Y ztIgMCX6NOS`DDhk#h2!Av!_E`$JY;v5-7b!s@l0|BWC&rt(_Ex%tPjU)3e3-*=+HS z%$CU&iU&7ltiNEd!aJD}n)V7G!kGV%Gnik%$42JmIXenGa5?Ulq61y!c$R{2b-YFcUA@OzL@q*{+H{!#> zVE*6e6Y*AIf8Hd)Y6=R+bGPFtYk{ya=Y%jZ+nOEAQm;|7=D$|ZAFOk0K%^_;zXJFX z9!m%Cl&WncPV023BD$>5d1C<<5R!-jM>9isP@U(==7oNmV1*E956ItC6ug4ZHh@JQ9sMmY5XN^i#AjJ?eX zSTJ9JYr46_Tx>pU!f`F>pet}at ziZc%q^Kmj*#L!-C0YYNpQ!cr|}kZYAZ__EvC=6EsHC? zDByUUM#RKHWxVRFz&>T0@RI0-v_$oEXxoaoo)Xg5eYSRXJ+D~bo@Qf1 zF+jVp4!((%IO$w5Zmts1e=%NC!E9`J`spD$2+hAkvkj$T`W2%49Q{;69vj+Z(@?FKC!CdZNaJn}E$C8{4<>9XVbxkcb|s3DvR@o79C|8RjZ z)2MtFekd^%Eu z+1kYlN`GTLb9M$+MY;hn>&THKMB7)y z7A)!uc{(=9QER*0K0R>AX7zb%ZR;wVq^8gkx!bpFAS|yMXkOhhu&JZQYg@F? zx}eY9=MVYisK?sp?+HZQeYG~lxI3`34$XQTHmf2M-BfE^-_&AV62y1M3VVfJDr@ZX zZFSjTBkb*Tw>Dg38+-!0LCUFD|f=x}Q6;*=e_s6B<|0{`W#5wjz zr#&D?6QUh)nb4MSkJ2k|hePg>{c<20fn}#68*;aLqP{>^tpFvNPNYc~7lD^4=&}i+nTBsZ?-46KK0gqA)k z{-8JEHcx#Ff@Z15x6rk~!8{=KNds_>Wf`RudDVtt98vY{%yXU5jY`lddG zDIM!n$x+`RegO^)z(0BU~_-KEfTsJVI7(v?j{C$*rR(eU}yOdXgpy&oHxG|%pQL*TVOoq?6!i$qfiH~d?AqCTwu zzF^oF?N2p6(pWFfz)J1Kn3j^ANWZcxe(Fnmhr1&zd+<_9<*@R{O@q^;+%al;JKSMk zS9dg`S*h=dYN*G@`v!N9hu_0}WnQ_{gZ6C;Q<_%Q97bzOlZGt`%qlGGa~Q_AO$)8# pG#-KR2%P^2OgR50$1RRWU_1ij5%|v|kT`8oep2`1EG72tzX1T!?xp|$ literal 0 HcmV?d00001 diff --git a/tests/bugfixes/github/test_issue_845.py b/tests/bugfixes/github/test_issue_845.py new file mode 100644 index 00000000..87814e9d --- /dev/null +++ b/tests/bugfixes/github/test_issue_845.py @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- + +from system_tests import CaseMeta, path + + +class LargeAllocationInPngChunk(metaclass=CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/issues/845 + + An unchecked allocation size causes a std::bad_alloc to + be thrown. + """ + url = "https://github.com/Exiv2/exiv2/issues/845" + + filename = path("$data_path/issue_845_poc.png") + commands = ["$exiv2 $filename"] + stdout = [""] + stderr = [ + """$exiv2_exception_message $filename: +$kerCorruptedMetadata +"""] + retval = [1]