Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop inside Exiv2::PsdImage::readMetadata (psdimage.cpp) #426

Closed
hongxuchen opened this issue Aug 31, 2018 · 4 comments
Closed

Infinite loop inside Exiv2::PsdImage::readMetadata (psdimage.cpp) #426

hongxuchen opened this issue Aug 31, 2018 · 4 comments
Assignees
@piponazo
Labels
bug
Projects
v0.27
Milestone
v0.27

Comments

@hongxuchen
Copy link

hongxuchen commented Aug 31, 2018
edited

There seems an infinite loop inside Exiv2::PsdImage::readMetadata at https://github.com/Exiv2/exiv2/blob/disable-printStructure/src/psdimage.cpp#L200-L233 (5940c6f).

It checks while (resourcesLength > 0) at line 200, resourcesLength is updated at line 232. However sometimes resourceNameLength + resourceSize may be 0xfffffff4, and it will be truncated to 0 when adding 12, making the subtraction to have no effect.

A concrete input is available h01 and h02.
@piponazo piponazo added the bug label Sep 7, 2018
@D4N D4N added this to TODO in v0.27 Sep 13, 2018
@piponazo
Copy link
Collaborator

piponazo commented Nov 4, 2018

I have checked the PSD specification and it seems that there is not a maximum value for the "Length of image resource section":

https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/#50577409_pgfId-1037504

Clearly this situations happens because the value of resourcesLength has been intentionally set to have such extreme case value 4194305530.

@D4N In the past you have been dealing with this kind of situations. This is a perfect scenario for using the utility Safe::add, right?

@piponazo piponazo self-assigned this Nov 4, 2018
@piponazo piponazo mentioned this issue Nov 4, 2018
Merged
@clanmills
Copy link
Collaborator

clanmills commented Nov 4, 2018 via email

piponazo added a commit that referenced this issue Nov 6, 2018
@piponazo
Add regression test for #426
b6bc426
@piponazo
Copy link
Collaborator

piponazo commented Nov 6, 2018

This issue was fixed by #518

@piponazo piponazo closed this as completed Nov 6, 2018
@piponazo piponazo moved this from TODO to In Progress in v0.27 Nov 6, 2018
@piponazo piponazo moved this from In Progress to Done in v0.27 Nov 6, 2018
@clanmills clanmills added this to the v0.27 milestone Nov 7, 2018
@hongxuchen
Copy link
Author

This got assigned CVE-2018-19108.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@piponazo piponazo

Labels
bug
Projects
No open projects
v0.27
  
Done
Milestone
v0.27
Development

No branches or pull requests
3 participants
@piponazo @clanmills @hongxuchen