| William A. Kennington III | b95905d | 2021-06-02 12:40:56 -0700 | [diff] [blame] | 1 | From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 |
| 2 | From: Robin Mills <robin@clanmills.com> |
| 3 | Date: Mon, 5 Apr 2021 20:33:25 +0100 |
| 4 | Subject: [PATCH] fix_1522_jp2image_exif_asan |
| 5 | |
| 6 | --- |
| 7 | src/jp2image.cpp | 9 ++++++--- |
| 8 | 1 file changed, 6 insertions(+), 3 deletions(-) |
| 9 | |
| 10 | diff --git a/src/jp2image.cpp b/src/jp2image.cpp |
| 11 | index eb31cea4a..88ab9b2d6 100644 |
| 12 | --- a/src/jp2image.cpp |
| 13 | +++ b/src/jp2image.cpp |
| 14 | @@ -28,6 +28,7 @@ |
| 15 | #include "image.hpp" |
| 16 | #include "image_int.hpp" |
| 17 | #include "basicio.hpp" |
| 18 | +#include "enforce.hpp" |
| 19 | #include "error.hpp" |
| 20 | #include "futils.hpp" |
| 21 | #include "types.hpp" |
| 22 | @@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m) |
| 23 | if (io_->error()) throw Error(kerFailedToReadImageData); |
| 24 | if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed); |
| 25 | |
| 26 | - if (rawData.size_ > 0) |
| 27 | + if (rawData.size_ > 8) // "II*\0long" |
| 28 | { |
| 29 | // Find the position of Exif header in bytes array. |
| 30 | long pos = ( (rawData.pData_[0] == rawData.pData_[1]) |
| 31 | @@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m) |
| 32 | position = io_->tell(); |
| 33 | box.length = getLong((byte*)&box.length, bigEndian); |
| 34 | box.type = getLong((byte*)&box.type, bigEndian); |
| 35 | + enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); |
| 36 | |
| 37 | if (bPrint) { |
| 38 | out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)), |
| 39 | @@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m) |
| 40 | throw Error(kerInputDataReadFailed); |
| 41 | |
| 42 | if (bPrint) { |
| 43 | - out << Internal::binaryToString(makeSlice(rawData, 0, 40)); |
| 44 | + out << Internal::binaryToString( |
| 45 | + makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_)); |
| 46 | out.flush(); |
| 47 | } |
| 48 | lf(out, bLF); |
| 49 | |
| 50 | - if (bIsExif && bRecursive && rawData.size_ > 0) { |
| 51 | + if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long" |
| 52 | if ((rawData.pData_[0] == rawData.pData_[1]) && |
| 53 | (rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) { |
| 54 | BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_)); |