xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1823 from Exiv2/mergify/bp/main/pr-1818

Browse Source 
Fix memory leak in pngimage.cpp (backport #1818)
main
Kevin Backhouse 4 years ago committed by GitHub
parent 34aa899513 c641116b25
commit db25089c6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 37 additions and 14 deletions
Show Stats Download Patch File Download Diff File

28
src/pngimage.cpp
Unescape Escape View File

@ -317,28 +317,29 @@ namespace Exiv2 {
if( bDump ) {
DataBuf dataBuf;
auto data = new byte[dataOffset + 1];
data[dataOffset] = 0;
bufRead = io_->read(data,dataOffset);
enforce(static_cast<uint64_t>(dataOffset) < static_cast<unsigned long>(std::numeric_limits<long>::max()), kerFailedToReadImageData);
DataBuf data(static_cast<long>(dataOffset) + 1);
data.pData_[dataOffset] = 0;
bufRead = io_->read(data.pData_, static_cast<long>(dataOffset));
enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData);
io_->seek(restore, BasicIo::beg);
uint32_t name_l = static_cast<uint32_t>(std::strlen(reinterpret_cast<const char*>(data))) +
1; // leading string length
enforce(name_l <= dataOffset, kerCorruptedMetadata);
size_t name_l = std::strlen(reinterpret_cast<const char*>(data.pData_)) +
1; // leading string length
enforce(name_l < dataOffset, kerCorruptedMetadata);
uint32_t start = name_l;
uint32_t start = static_cast<uint32_t>(name_l);
bool bLF = false;
// decode the chunk
bool bGood = false;
if ( tEXt ) {
bGood = tEXtToDataBuf(data+name_l,dataOffset-name_l,dataBuf);
bGood = tEXtToDataBuf(data.pData_ + name_l, static_cast<unsigned long>(dataOffset - name_l), dataBuf);
}
if ( zTXt || iCCP ) {
bGood = zlibToDataBuf(data+name_l+1,dataOffset-name_l-1,dataBuf); // +1 = 'compressed' flag
bGood = zlibToDataBuf(data.pData_ + name_l + 1, static_cast<unsigned long>(dataOffset - name_l - 1), dataBuf); // +1 = 'compressed' flag
}
if ( iTXt ) {
bGood = (start+3) < dataOffset ; // good if not a nul chunk
bGood = (3 <= dataOffset) && (start < dataOffset-3); // good if not a nul chunk
}
if ( eXIf ) {
bGood = true ;// eXIf requires no pre-processing)
@ -347,8 +348,8 @@ namespace Exiv2 {
// format is content dependent
if ( bGood ) {
if ( bXMP ) {
while (start < dataOffset && !data[start]) start++; // skip leading nul bytes
out << data+start; // output the xmp
while (start < dataOffset && !data.pData_[start]) start++; // skip leading nul bytes
out << data.pData_ + start; // output the xmp
}
if ( bExif || bIptc ) {
@ -389,13 +390,12 @@ namespace Exiv2 {
}
if ( eXIf && option == kpsRecursive ) {
// create memio object with the data, then print the structure
BasicIo::UniquePtr p = BasicIo::UniquePtr(new MemIo(data,dataOffset));
BasicIo::UniquePtr p = BasicIo::UniquePtr(new MemIo(data.pData_, dataOffset));
printTiffStructure(*p,out,option,depth);
}
if ( bLF ) out << std::endl;
}
delete[] data;
}
io_->seek(dataOffset+4, BasicIo::cur);// jump past checksum
if (io_->error()) throw Error(kerFailedToReadImageData);

BIN
test/data/issue_1817_poc.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 B

23
tests/bugfixes/github/test_issue_1817.py
Unescape Escape View File

@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
from system_tests import CaseMeta, path
class MemoryLeakInPngImagePrintStructure(metaclass=CaseMeta):
"""
Regression test for the bug described in:
https://github.com/Exiv2/exiv2/issues/1817
Note: the test only fails in an ASAN build.
"""
url = "https://github.com/Exiv2/exiv2/issues/1817"
filename = path("$data_path/issue_1817_poc.png")
commands = ["$exiv2 -pS $filename"]
stdout = ["""STRUCTURE OF PNG FILE: $filename
address | chunk | length | data | checksum
8 | eXIf | 0 | | 0x00000000
"""]
stderr = ["""$exiv2_exception_message $filename:
$kerCorruptedMetadata
"""]
retval = [1]
Write Preview
Loading…
Cancel
Save