Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The invalid memory dereference in Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() is caused further up the call-stack, by v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() passing an invalid pData pointer (pData points outside of the Tiff file). pData can be set out of bounds in the (size > 4) branch where baseOffset() and offset are added to pData_ without checking whether the result is still in the file. As offset comes from an untrusted source, an attacker can craft an arbitrarily large offset into the file. This commit adds a check into the problematic branch, whether the result of the addition would be out of bounds of the Tiff file. Furthermore the whole operation is checked for possible overflows.
- Loading branch information