From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001 From: Robin Mills Date: Mon, 5 Apr 2021 20:33:25 +0100 Subject: [PATCH] fix_1522_jp2image_exif_asan --- src/jp2image.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/jp2image.cpp b/src/jp2image.cpp index a81e68f..8e36276 100644 --- a/src/jp2image.cpp +++ b/src/jp2image.cpp @@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$") #include "image.hpp" #include "image_int.hpp" #include "basicio.hpp" +#include "enforce.hpp" #include "error.hpp" #include "futils.hpp" #include "types.hpp" @@ -345,7 +346,7 @@ namespace Exiv2 if (io_->error()) throw Error(14); if (bufRead != rawData.size_) throw Error(20); - if (rawData.size_ > 0) + if (rawData.size_ > 8) // "II*\0long" { // Find the position of Exif header in bytes array. long pos = ( (rawData.pData_[0] == rawData.pData_[1]) @@ -484,6 +485,7 @@ namespace Exiv2 position = io_->tell(); box.length = getLong((byte*)&box.length, bigEndian); box.type = getLong((byte*)&box.type, bigEndian); + enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata); if ( bPrint ) { out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << " | " ; @@ -560,12 +562,13 @@ namespace Exiv2 if (bufRead != rawData.size_) throw Error(20); if ( bPrint ){ - out << Internal::binaryToString(rawData,40,0); + out << Internal::binaryToString( + rawData, rawData.size_>40?40:rawData.size_, 0); out.flush(); } lf(out,bLF); - if(bIsExif && bRecursive && rawData.size_ > 0) + if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long" { if ( (rawData.pData_[0] == rawData.pData_[1]) && (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' ) -- 2.23.0