Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
exiv2.30966
improve-pngchunk-bounds-checking.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File improve-pngchunk-bounds-checking.patch of Package exiv2.30966
This updates the implementation of PngChunk::readRawProfile() to the version in 0.27.5 --- exiv2-0.26.orig/src/pngchunk.cpp +++ exiv2-0.26/src/pngchunk.cpp @@ -37,6 +37,7 @@ EXIV2_RCSID("@(#) $Id$") #include "iptc.hpp" #include "image.hpp" #include "error.hpp" +#include "enforce.hpp" // + standard includes #include <sstream> @@ -590,17 +591,12 @@ namespace Exiv2 { DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt) { DataBuf info; - register long i; - register unsigned char *dp; - const char *sp; - unsigned int nibbles; - long length; unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, - 13,14,15}; + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, + 13,14,15}; if (text.size_ == 0) { return DataBuf(); } @@ -611,39 +607,69 @@ namespace Exiv2 { return info; } + const char *sp = (char*) text.pData_+1; // current byte (space pointer) + const char *eot = (char*) text.pData_+text.size_; // end of text - sp = (char*)text.pData_+1; + if (sp >= eot) { + return DataBuf(); + } // Look for newline - while (*sp != '\n') + { sp++; + if ( sp == eot ) + { + return DataBuf(); + } + } + sp++ ; // step over '\n' + if (sp == eot) { + return DataBuf(); + } // Look for length - while (*sp == '\0' || *sp == ' ' || *sp == '\n') + { sp++; - - length = (long) atol(sp); - const char* eot = (char*)text.pData_ + text.size_; - if (length < 0 || length > (eot - sp)/2) { - throw Error(14); + if (sp == eot ) + { + return DataBuf(); + } } - while (*sp != ' ' && *sp != '\n') + // Parse the length. + long length = 0; + while ('0' <= *sp && *sp <= '9') + { + // Compute the new length using unsigned long, so that we can + // check for overflow. + const unsigned long newlength = (10 * static_cast<unsigned long>(length)) + (*sp - '0'); + if (newlength > static_cast<unsigned long>(std::numeric_limits<long>::max())) { + return DataBuf(); // Integer overflow. + } + length = static_cast<long>(newlength); sp++; + if (sp == eot ) + { + return DataBuf(); + } + } + sp++ ; // step over '\n' + if (sp == eot) { + return DataBuf(); + } - // Allocate space + enforce(length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata); + // Allocate space if (length == 0) { #ifdef DEBUG std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n"; #endif } - info.alloc(length); - if (info.size_ != length) { #ifdef DEBUG @@ -654,11 +680,12 @@ namespace Exiv2 { // Copy profile, skipping white space and column 1 "=" signs - dp = (unsigned char*)info.pData_; - nibbles = length * 2; + unsigned char *dp = (unsigned char*)info.pData_; // decode pointer + unsigned int nibbles = length * 2; - for (i = 0; i < (long) nibbles; i++) + for (long i = 0; i < (long) nibbles; i++) { + enforce(sp < eot, Exiv2::kerCorruptedMetadata); while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') { if (*sp == '\0') @@ -670,6 +697,7 @@ namespace Exiv2 { } sp++; + enforce(sp < eot, Exiv2::kerCorruptedMetadata); } if (i%2 == 0)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
