-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix infinite loop in PsdImage::readMetadata #518
Conversation
This change mades good use of Dan's safe arithmetic. I'm not sure what a resourceLength is, however presumably if it's bigger that the file size, the file smells. So, I approve of the safe code and ask you to investigate resourceLength/file-size puzzle. |
Codecov Report
@@ Coverage Diff @@
## master #518 +/- ##
=======================================
Coverage 63.59% 63.59%
=======================================
Files 154 154
Lines 20560 20560
=======================================
Hits 13075 13075
Misses 7485 7485
Continue to review full report at Codecov.
|
Can we know the file size at this point? I thought that we were reading it chunk by chunk, and therefore we did not know its total size. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking:
if ( resourceSize >= io_->size() ) {
throw Error(kerCorruptedMetadata);
}
Or even:
enforce(resourceSize < io_->size(), Exiv2::kerCorruptedMetadata);
You might even need Dan's Safe arithmetic even to do the comparison as resourceSize is deliberately an extreme integer.
Great, I have added also that check that makes total sense and adapted the test code. |
Note that these changes are also fixing the bug described in #427. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, Luis. Good Job as always.
As described in #426 , a fuzzed POC was causing an infinite loop in
PsdImage::readMetadata
. The reason is that an addition operator over theresourcesLength
variable was causing an overflow. By the addition of theSafe::add
operator we can detect such situations.A regression test has been added.