Fix issues found by fuzzer

3 years ago · f6b17d2a4d
parent b9f9d041ea
commit f6b17d2a4d
4 changed files with 7 additions and 6 deletions
--- a/src/helper_functions.cpp
+++ b/src/helper_functions.cpp
@ -23,7 +23,9 @@

 std::string string_from_unterminated(const char* data, size_t data_length)
 {
+    if (data_length == 0) {
+        return {};
+    }
    const size_t StringLength = strnlen(data, data_length);
-
    return std::string(data, StringLength);
 }
--- a/src/jpgimage.cpp
+++ b/src/jpgimage.cpp
@ -621,8 +621,7 @@ namespace Exiv2 {
                    assert(markerHasLength(marker));
                    assert(size >= 2); // Because this marker has a length field.
                    // http://www.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/XMPSpecificationPart3.pdf p75
-                    const std::string signature =
-                        string_from_unterminated(buf.c_str(2), size - 2);
+                    const std::string signature = string_from_unterminated(buf.c_str(2), size - 2);

                    // 728 rmills@rmillsmbp:~/gnu/exiv2/ttt $ exiv2 -pS test/data/exiv2-bug922.jpg
                    // STRUCTURE OF JPEG FILE: test/data/exiv2-bug922.jpg
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@ -147,7 +147,7 @@ namespace Exiv2

                arr = DataBuf(text, textsize);
            } else if (type == iTXt_Chunk) {
-                enforce(data.size() >= Safe::add(keysize, static_cast<size_t>(3)), Exiv2::kerCorruptedMetadata);
+                enforce(data.size() > Safe::add(keysize, static_cast<size_t>(3)), Exiv2::kerCorruptedMetadata);
                const size_t nullCount = std::count(data.c_data(keysize + 3), data.c_data(data.size()-1), '\0');
                enforce(nullCount >= nullSeparators, Exiv2::kerCorruptedMetadata);

@ -524,7 +524,7 @@ namespace Exiv2

        DataBuf PngChunk::readRawProfile(const DataBuf& text, bool iTXt)
        {
-            if (text.empty()) {
+            if (text.size() <= 1) {
                return DataBuf();
            }

--- a/src/tiffvisitor_int.cpp
+++ b/src/tiffvisitor_int.cpp
@ -999,7 +999,7 @@ namespace Exiv2 {
                uint32_t sizeTotal = 0;
                object->strips_.clear();
                for (size_t i = 0; i < pos->count(); ++i) {
-                    uint32_t len = pos->toUint32(i);
+                    uint32_t len = pos->toUint32(static_cast<long>(i));
                    object->strips_.emplace_back(zero, len);
                    sizeTotal += len;
                }