- Regression test for missing bounds check in MemIo::seek()
- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504
(cherry picked from commit bd0afe0390439b2c424d881c8c6eb0c5624e31d9)
Additional fixes for 0.27:
- Add fix for the linux variant of MemIo::seek
- Change type of variable from unsigned to signed
This build passes the test suite and jens.cpp on MacOS-X. I'll submit and see what the CI has to say. With the changes only relating to unitTests (which I didn't run on FreeBSD), we should not have disturbed Linux/FreeBSD/jens.cpp.
I feel more confortable doing changes in a code that I do not know by
having some unit tests around it. These characterisation tests will
also be useful as documentation.
I tried to use directly the private OBJECT library (exiv2lib_int) in the unit_tests targets, but the private objects have dependencies on the public symbols (circular dependency)
and therefore it is impossible to test the private code with that approach with the current design of the library.
Starting from CMake 3.3 we can use the variable CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS to export all the symbols of a shared library:
https://blog.kitware.com/create-dlls-on-windows-without-declspec-using-new-cmake-export-all-feature/
Even having the opportunity to use this variable (that will be only used when EXIV2_BUILD_UNIT_TESTS is enabled) the previous commits are still valid.
It is interesting to clearly differentiate between the public and private code of the library. Enforcing this, make us think twice before putting code in the public
part of the library.
Luis Díaz Más
Robin Mills
postscript-dev
Kevin Backhouse
Dan Čermák