Merge pull request from GHSA-hrw9-ggg3-3r4r

Fix integer overflow in BmffImage::brotliUncompress
Exiv2 · Nov 5, 2023 · e884a09 · e884a09
2 parents 8fd2dfb + d8f82d5
commit e884a09
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 1 deletion.
diff --git a/src/bmffimage.cpp b/src/bmffimage.cpp
@@ -212,7 +212,7 @@ void BmffImage::brotliUncompress(const byte* compressedBuf, size_t compressedBuf
       uncompressedLen *= 2;
       // DoS protection - can't be bigger than 128k
       if (uncompressedLen > 131072) {
-        if (++dos > 1)
+        if (++dos > 1 || total_out > 131072)
           break;
         uncompressedLen = 131072;
       }

diff --git a/test/data/issue_ghsa_hrw9_ggg3_3r4r_poc.jpg b/test/data/issue_ghsa_hrw9_ggg3_3r4r_poc.jpg
diff --git a/tests/bugfixes/github/test_issue_ghsa_hrw9_ggg3_3r4r.py b/tests/bugfixes/github/test_issue_ghsa_hrw9_ggg3_3r4r.py
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class BrotliUncompressOutOfBoundsWrite(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r
+    """
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r"
+
+    filename = path("$data_path/issue_ghsa_hrw9_ggg3_3r4r_poc.jpg")
+    commands = ["$exiv2 $filename"]
+    stdout = [""]
+    stderr = [
+"""Exiv2 exception in print action for file $filename:
+$kerFailedToReadImageData
+"""]
+    retval = [1]
diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
@@ -116,6 +116,7 @@ def get_valid_files(data_dir):
         "issue_ghsa_583f_w9pm_99r2_poc.jp2",
         "issue_ghsa_7569_phvm_vwc2_poc.jp2",
         "issue_ghsa_mxw9_qx4c_6m8v_poc.jp2",
+        "issue_ghsa_hrw9_ggg3_3r4r_poc.jpg",
         "pocIssue283.jpg",
         "poc_1522.jp2",
         "xmpsdk.xmp",