1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Tue, 1 Oct 2019 17:39:44 +0100
Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop
---
src/jp2image.cpp | 25 +++++++++++++++----
tests/bugfixes/github/test_CVE_2017_17725.py | 4 +--
tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++
4 files changed, 35 insertions(+), 7 deletions(-)
create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
create mode 100644 tests/bugfixes/github/test_issue_1011.py
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index d5cd1340a..0de088d62 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -18,10 +18,6 @@
* Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
*/
-/*
- File: jp2image.cpp
-*/
-
// *****************************************************************************
// included header files
@@ -197,6 +193,16 @@ namespace Exiv2
return result;
}
+static void boxes_check(size_t b,size_t m)
+{
+ if ( b > m ) {
+#ifdef EXIV2_DEBUG_MESSAGES
+ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+ throw Error(kerCorruptedMetadata);
+ }
+}
+
void Jp2Image::readMetadata()
{
#ifdef EXIV2_DEBUG_MESSAGES
@@ -219,9 +225,12 @@ namespace Exiv2
Jp2BoxHeader subBox = {0,0};
Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+ size_t boxes = 0 ;
+ size_t boxem = 1000 ; // boxes max
while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
{
+ boxes_check(boxes++,boxem );
position = io_->tell();
box.length = getLong((byte*)&box.length, bigEndian);
box.type = getLong((byte*)&box.type, bigEndian);
@@ -251,8 +260,12 @@ namespace Exiv2
while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
{
+ boxes_check(boxes++, boxem) ;
subBox.length = getLong((byte*)&subBox.length, bigEndian);
subBox.type = getLong((byte*)&subBox.type, bigEndian);
+ if (subBox.length > io_->size() ) {
+ throw Error(kerCorruptedMetadata);
+ }
#ifdef EXIV2_DEBUG_MESSAGES
std::cout << "Exiv2::Jp2Image::readMetadata: "
<< "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
@@ -308,7 +321,9 @@ namespace Exiv2
}
io_->seek(restore,BasicIo::beg);
- io_->seek(subBox.length, Exiv2::BasicIo::cur);
+ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
+ throw Error(kerCorruptedMetadata);
+ }
restore = io_->tell();
}
break;
diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
index 1127b9806..670a75d8d 100644
--- a/tests/bugfixes/github/test_CVE_2017_17725.py
+++ b/tests/bugfixes/github/test_CVE_2017_17725.py
@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
filename = "$data_path/poc_2017-12-12_issue188"
commands = ["$exiv2 " + filename]
stdout = [""]
- stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
-$addition_overflow_message
+ stderr = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
"""]
retval = [1]
diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py
new file mode 100644
index 000000000..415861188
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1011.py
@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class Test_issue_1011(metaclass=CaseMeta):
+
+ filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
+ commands = ["$exiv2 " + filename]
+ stdout = [""]
+ stderr = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
+"""]
+ retval = [1]
\ No newline at end of file
|