Better bounds checking in Jp2Image::encodeJp2Header()

Exiv2 · Apr 20, 2021 · f930883 · f930883
1 parent e1686eb
commit f930883
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
@@ -646,11 +646,11 @@ static void boxes_check(size_t b,size_t m)
     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
     {
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        long    outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+        long    inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
-        int32_t       count  = sizeof (Jp2BoxHeader);
+        uint32_t      length = getLong((byte*)&pBox->length, bigEndian);
+        uint32_t      count  = sizeof (Jp2BoxHeader);
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;
 
@@ -667,6 +667,7 @@ static void boxes_check(size_t b,size_t m)
 #ifdef EXIV2_DEBUG_MESSAGES
                 std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
 #endif
+                enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
                 count        += subBox.length;
                 newBox.type   = subBox.type;
             } else {
@@ -675,13 +676,14 @@ static void boxes_check(size_t b,size_t m)
                 count = length;
             }
 
-            int32_t newlen = subBox.length;
+            uint32_t newlen = subBox.length;
             if ( newBox.type == kJp2BoxTypeColorHeader ) {
                 bWroteColor = true ;
                 if ( ! iccProfileDefined() ) {
                     const char* pad   = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
                     uint32_t    psize = 15;
                     newlen            = sizeof(newBox) + psize ;
+                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
                     ul2Data((byte*)&newBox.length,psize      ,bigEndian);
                     ul2Data((byte*)&newBox.type  ,newBox.type,bigEndian);
                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox));
@@ -690,13 +692,15 @@ static void boxes_check(size_t b,size_t m)
                     const char* pad   = "\x02\x00\x00";
                     uint32_t    psize = 3;
                     newlen            = sizeof(newBox) + psize + iccProfile_.size_;
+                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
                     ul2Data((byte*)&newBox.length,newlen,bigEndian);
                     ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox)  );
                     ::memcpy(output.pData_+outlen+sizeof(newBox)      , pad               ,psize           );
                     ::memcpy(output.pData_+outlen+sizeof(newBox)+psize,iccProfile_.pData_,iccProfile_.size_);
                 }
             } else {
+                enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
                 ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
             }