From 683451567284005cd24e1ccb0a76ca401000968b Mon Sep 17 00:00:00 2001 From: Jens Georg <mail@jensge.org> Date: Sun, 6 Oct 2019 15:05:20 +0200 Subject: [PATCH 1/2] crwimage: Check offset and size against total size Corrupted or specially crafted CRW images might exceed the overall buffersize. Fixes #1019 --- src/crwimage_int.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp index 2474baace..3315b86d7 100644 --- a/src/crwimage_int.cpp +++ b/src/crwimage_int.cpp @@ -270,6 +270,9 @@ namespace Exiv2 { #ifdef EXIV2_DEBUG_MESSAGES std::cout << "Reading directory 0x" << std::hex << tag() << "\n"; #endif + if (this->offset() + this->size() > size) + throw Error(kerOffsetOutOfRange); + readDirectory(pData + offset(), this->size(), byteOrder); #ifdef EXIV2_DEBUG_MESSAGES std::cout << "<---- 0x" << std::hex << tag() << "\n"; From 73b874fb14d02578f876aa7dd404cf7c07b6dc4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> Date: Mon, 7 Oct 2019 23:25:00 +0200 Subject: [PATCH 2/2] [tests] Add regression test for #1019 --- test/data/POC-file_issue_1019 | Bin 0 -> 10078 bytes tests/bugfixes/github/test_issue_1019.py | 14 ++++++++++++++ tests/suite.conf | 1 + 3 files changed, 15 insertions(+) create mode 100755 test/data/POC-file_issue_1019 create mode 100644 tests/bugfixes/github/test_issue_1019.py diff --git a/tests/bugfixes/github/test_issue_1019.py b/tests/bugfixes/github/test_issue_1019.py new file mode 100644 index 000000000..c2682f901 --- /dev/null +++ b/tests/bugfixes/github/test_issue_1019.py @@ -0,0 +1,14 @@ +from system_tests import CaseMeta, path + + +class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta): + + filename = path("$data_path/POC-file_issue_1019") + commands = ["$exiv2 -pv $filename"] + stdout = [""] + stderr = [ + """$exiv2_exception_message $filename: +$kerOffsetOutOfRange +""" + ] + retval = [1] diff --git a/tests/suite.conf b/tests/suite.conf index 5b31930c1..dab7427b3 100644 --- a/tests/suite.conf +++ b/tests/suite.conf @@ -19,6 +19,7 @@ largeiptc_test: ${ENV:exiv2_path}/largeiptc-test${ENV:binary_extension} easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension} [variables] +kerOffsetOutOfRange: Offset out of range kerFailedToReadImageData: Failed to read image data kerCorruptedMetadata: corrupted image metadata kerInvalidMalloc: invalid memory allocation request