Fix infinite loop in PsdImage::readMetadata #518
Conversation
|
This change mades good use of Dan's safe arithmetic. I'm not sure what a resourceLength is, however presumably if it's bigger that the file size, the file smells. So, I approve of the safe code and ask you to investigate resourceLength/file-size puzzle. |
Codecov Report
@@ Coverage Diff @@
## master #518 +/- ##
=======================================
Coverage 63.59% 63.59%
=======================================
Files 154 154
Lines 20560 20560
=======================================
Hits 13075 13075
Misses 7485 7485
Continue to review full report at Codecov.
|
|
Can we know the file size at this point? I thought that we were reading it chunk by chunk, and therefore we did not know its total size. |
There was a problem hiding this comment.
I'm thinking:
if ( resourceSize >= io_->size() ) {
throw Error(kerCorruptedMetadata);
}
Or even:
enforce(resourceSize < io_->size(), Exiv2::kerCorruptedMetadata);
You might even need Dan's Safe arithmetic even to do the comparison as resourceSize is deliberately an extreme integer.
|
Great, I have added also that check that makes total sense and adapted the test code. |
|
Note that these changes are also fixing the bug described in #427. |
As described in #426 , a fuzzed POC was causing an infinite loop in
PsdImage::readMetadata. The reason is that an addition operator over theresourcesLengthvariable was causing an overflow. By the addition of theSafe::addoperator we can detect such situations.A regression test has been added.