diff --git a/src/error.cpp b/src/error.cpp index e90a9c0a..f2edf4dd 100644 --- a/src/error.cpp +++ b/src/error.cpp @@ -109,6 +109,7 @@ namespace { { 55, N_("tiff directory length is too large") }, { 56, N_("invalid type value detected in Image::printIFDStructure") }, { 57, N_("invalid memory allocation request") }, + { 58, N_("corrupted image metadata") }, }; } diff --git a/src/jp2image.cpp b/src/jp2image.cpp index 747145cf..748d39b5 100644 --- a/src/jp2image.cpp +++ b/src/jp2image.cpp @@ -269,10 +269,15 @@ namespace Exiv2 std::cout << "Exiv2::Jp2Image::readMetadata: " << "Color data found" << std::endl; #endif - long pad = 3 ; // 3 padding bytes 2 0 0 + const long pad = 3 ; // 3 padding bytes 2 0 0 DataBuf data(subBox.length+8); io_->read(data.pData_,data.size_); - long iccLength = getULong(data.pData_+pad, bigEndian); + const long iccLength = getULong(data.pData_+pad, bigEndian); + // subtracting pad from data.size_ is safe: + // size_ is at least 8 and pad = 3 + if (iccLength > data.size_ - pad) { + throw Error(58); + } DataBuf icc(iccLength); ::memcpy(icc.pData_,data.pData_+pad,icc.size_); #ifdef DEBUG diff --git a/test/bugfixes-test.sh b/test/bugfixes-test.sh index 7d74d315..5d5d2afa 100755 --- a/test/bugfixes-test.sh +++ b/test/bugfixes-test.sh @@ -730,6 +730,13 @@ source ./functions.source copyTestFile $filename runTest exiv2 $filename + num=g71 + printf "$num " >&3 + filename=003-heap-buffer-over + echo '------>' Bug $filename '<-------' >&2 + copyTestFile $filename + runTest exiv2 $filename + ) 3>&1 > $results 2>&1 printf "\n" diff --git a/test/data/003-heap-buffer-over b/test/data/003-heap-buffer-over new file mode 100644 index 00000000..2c490f60 Binary files /dev/null and b/test/data/003-heap-buffer-over differ diff --git a/test/data/bugfixes-test.out b/test/data/bugfixes-test.out index 4a397f0f..f4b58fbb 100644 Binary files a/test/data/bugfixes-test.out and b/test/data/bugfixes-test.out differ