Skip to content

Commit a82098f

Browse files
authored
Fix #1011 fix_1011_jp2_readmetadata_loop (#1013)
Fix #1011 fix_1011_jp2_readmetadata_loop
2 parents a30027c + 1b917c3 commit a82098f

File tree

4 files changed

+35
-7
lines changed

4 files changed

+35
-7
lines changed

Diff for: src/jp2image.cpp

+20-5
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,6 @@
1818
* Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
1919
*/
2020

21-
/*
22-
File: jp2image.cpp
23-
*/
24-
2521
// *****************************************************************************
2622

2723
// included header files
@@ -197,6 +193,16 @@ namespace Exiv2
197193
return result;
198194
}
199195

196+
static void boxes_check(size_t b,size_t m)
197+
{
198+
if ( b > m ) {
199+
#ifdef EXIV2_DEBUG_MESSAGES
200+
std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
201+
#endif
202+
throw Error(kerCorruptedMetadata);
203+
}
204+
}
205+
200206
void Jp2Image::readMetadata()
201207
{
202208
#ifdef EXIV2_DEBUG_MESSAGES
@@ -219,9 +225,12 @@ namespace Exiv2
219225
Jp2BoxHeader subBox = {0,0};
220226
Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};
221227
Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
228+
size_t boxes = 0 ;
229+
size_t boxem = 1000 ; // boxes max
222230

223231
while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
224232
{
233+
boxes_check(boxes++,boxem );
225234
position = io_->tell();
226235
box.length = getLong((byte*)&box.length, bigEndian);
227236
box.type = getLong((byte*)&box.type, bigEndian);
@@ -251,8 +260,12 @@ namespace Exiv2
251260

252261
while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
253262
{
263+
boxes_check(boxes++, boxem) ;
254264
subBox.length = getLong((byte*)&subBox.length, bigEndian);
255265
subBox.type = getLong((byte*)&subBox.type, bigEndian);
266+
if (subBox.length > io_->size() ) {
267+
throw Error(kerCorruptedMetadata);
268+
}
256269
#ifdef EXIV2_DEBUG_MESSAGES
257270
std::cout << "Exiv2::Jp2Image::readMetadata: "
258271
<< "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
@@ -308,7 +321,9 @@ namespace Exiv2
308321
}
309322

310323
io_->seek(restore,BasicIo::beg);
311-
io_->seek(subBox.length, Exiv2::BasicIo::cur);
324+
if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
325+
throw Error(kerCorruptedMetadata);
326+
}
312327
restore = io_->tell();
313328
}
314329
break;

Diff for: test/data/Jp2Image_readMetadata_loop.poc

738 Bytes
Binary file not shown.

Diff for: tests/bugfixes/github/test_CVE_2017_17725.py

+2-2
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
1111
filename = "$data_path/poc_2017-12-12_issue188"
1212
commands = ["$exiv2 " + filename]
1313
stdout = [""]
14-
stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
15-
$addition_overflow_message
14+
stderr = ["""$exiv2_exception_message """ + filename + """:
15+
$kerCorruptedMetadata
1616
"""]
1717
retval = [1]

Diff for: tests/bugfixes/github/test_issue_1011.py

+13
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# -*- coding: utf-8 -*-
2+
3+
from system_tests import CaseMeta, path
4+
5+
class Test_issue_1011(metaclass=CaseMeta):
6+
7+
filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
8+
commands = ["$exiv2 " + filename]
9+
stdout = [""]
10+
stderr = ["""$exiv2_exception_message """ + filename + """:
11+
$kerCorruptedMetadata
12+
"""]
13+
retval = [1]

0 commit comments

Comments
 (0)