62 lines
1.9 KiB
Diff
62 lines
1.9 KiB
Diff
From c0ecc2ae36f34462be98623deb85ba1747ae2175 Mon Sep 17 00:00:00 2001
|
|
From: Kevin Backhouse <kev@semmle.com>
|
|
Date: Mon, 13 May 2019 16:56:29 +0100
|
|
Subject: [PATCH] Avoid integer overflow.
|
|
|
|
---
|
|
src/crwimage.cpp | 4 ++--
|
|
tests/bugfixes/github/test_issue_843.py | 22 ++++++++++++++++++++++
|
|
2 files changed, 24 insertions(+), 2 deletions(-)
|
|
create mode 100644 tests/bugfixes/github/test_issue_843.py
|
|
|
|
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
|
|
index c2fd5f3a5..4080c0787 100644
|
|
--- a/src/crwimage.cpp
|
|
+++ b/src/crwimage.cpp
|
|
@@ -281,7 +281,7 @@ namespace Exiv2 {
|
|
if (size < 4)
|
|
throw Error(33);
|
|
uint32_t o = getULong(pData + size - 4, byteOrder);
|
|
- if ( o+2 > size )
|
|
+ if ( o > size-2 )
|
|
throw Error(33);
|
|
uint16_t count = getUShort(pData + o, byteOrder);
|
|
#ifdef DEBUG
|
|
@@ -289,7 +289,7 @@ namespace Exiv2 {
|
|
<<", " << count << " entries \n";
|
|
#endif
|
|
o += 2;
|
|
- if ( (o + (count * 10)) > size )
|
|
+ if ( static_cast<uint32_t>(count) * 10 > size-o )
|
|
throw Error(33);
|
|
|
|
for (uint16_t i = 0; i < count; ++i) {
|
|
diff --git a/tests/bugfixes/github/test_issue_843.py b/tests/bugfixes/github/test_issue_843.py
|
|
new file mode 100644
|
|
index 000000000..2df9c1cf8
|
|
--- /dev/null
|
|
+++ b/tests/bugfixes/github/test_issue_843.py
|
|
@@ -0,0 +1,22 @@
|
|
+# -*- coding: utf-8 -*-
|
|
+
|
|
+from system_tests import CaseMeta, path
|
|
+
|
|
+
|
|
+class IntegerOverflowInCiffDirectoryReadDirectory(metaclass=CaseMeta):
|
|
+ """
|
|
+ Regression test for the bug described in:
|
|
+ https://github.com/Exiv2/exiv2/issues/843
|
|
+
|
|
+ An integer overflow causes an out-of-bounds read.
|
|
+ """
|
|
+ url = "https://github.com/Exiv2/exiv2/issues/843"
|
|
+
|
|
+ filename = path("$data_path/issue_843_poc.crw")
|
|
+ commands = ["$exiv2 $filename"]
|
|
+ stdout = [""]
|
|
+ stderr = [
|
|
+ """$exiv2_exception_message $filename:
|
|
+$kerCorruptedMetadata
|
|
+"""]
|
|
+ retval = [1]
|