This function was creating a lot of new pointers and strings without
properly checking the array bounds. This commit adds several calls
to enforce(), making sure that the pointers stay within bounds.
Strings are now created using the helper function
string_from_unterminated() to prevent overreads in the constructor of
std::string.
This fixes#400
This is needed in some tests which are using exiv2json.
It seems that during metadata conversion, the dates are converted from the
original timezone (which seems to be saved in xmp) into the local time zone.
* Port redmine issue 1024
* Port redmine issue 1026
* Port redmine issue 1040
* Port redmine issue 1044
* Port redmine issue 1053
* Port redmine issue 1054 (not finished yet; I found some issues there)
* Port redmine issue 1058
* Port redmine issue 1062
* Port redmine issue 1080
* Port redmine issue 1108
* Port redmine issue 1112
* Port redmine issue 1114
* Port redmine issue 1122
* Port redmine issue 1140
* Port redmine issue 1144
* Port redmine issue 1145
* Port redmine issue 1153
* Port redmine issue 1155
* Port redmine issue 1166
* Port redmine issue 1167
* Port redmine issue 1170
* Replace escaped chars in 1054
* Add brackets in exiv2json::main()
* Link all sample apps against exiv2lib
* Changes in 1054
* test 1054: fix dates depending on Local time
* Do not run make with VERBOSE=1
* Use system_tests.path
* Fix windows issues with quotes
* Use system_tests.path
* Use itertools to simplify test code
* [appveyor] Install clcache with nuget
* [appveyor] Keep clcache in the appveyor jobs
* [appveyor] Print clcache stats after compiling the project
* Use CLCACHE_PATH env variable to find clcache
EXV_WARN_UNUSED_RESULT is a conditional macro that expands to either
__attribute__((warn_unused_result)) on gcc & clang or to _Check_return
for MSVC
=> Compiler warns if the return value is ignored
in the following call:
getHeaderOffset (payload.pData_, payload.size_, (byte*)&exifLongHeader, 6);
getHeaderOffset would read 6 bytes from exifLongHeader, reading beyond the
bounds of the array => add 2 padding bytes to prevent overreads
memcmp() compares the read data from key with the provided string, but when
key.pData_ is shorter than the provided length, then memcmp can read beyond the
bounds of key.pData_
=> add custom compare function, which ensures that we never read more than
key.size_
The pointer p is advanced in the while loop to step over three '\n'.
However, its length is never reduced accordingly. => the length check in the
following for loop is invalid, as it permits overreading by the number of
characters that p was advanced by.
The loop condition will perform a range check correctly, but it will always
dereference bytes[i], even if i is too large and fails the second check.
=> move the bytes[i] == 0x1c check into a if, after the range check was
successfull
DataBuf::release() easily cause memory leaks, when the return value is
ignored. free() provides the desired behavior, when the internal data should
just be deleted and not used further.
The size parameter is only checked for upper bounds, but not for lower.
If it is too small, then created dataBuf will be too small and overflow in one
of the subsequent memcpy() calls.
This fixes#378 / CVE-2018-14046
Luis Diaz Mas
D4N
Dan Čermák
Luis Diaz Mas
clanmills
AndreasMartin72