Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There seems an infinite loop inside Exiv2::PsdImage::readMetadata at https://github.com/Exiv2/exiv2/blob/disable-printStructure/src/psdimage.cpp#L200-L233 (5940c6f).
It checks while (resourcesLength > 0) at line 200, resourcesLength is updated at line 232. However sometimes resourceNameLength + resourceSize may be 0xfffffff4, and it will be truncated to 0 when adding 12, making the subtraction to have no effect.
while (resourcesLength > 0)
resourcesLength
resourceNameLength + resourceSize
A concrete input is available h01 and h02.
The text was updated successfully, but these errors were encountered:
I have checked the PSD specification and it seems that there is not a maximum value for the "Length of image resource section":
https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/#50577409_pgfId-1037504
Clearly this situations happens because the value of resourcesLength has been intentionally set to have such extreme case value 4194305530.
4194305530
@D4N In the past you have been dealing with this kind of situations. This is a perfect scenario for using the utility Safe::add, right?
Safe::add
Sorry, something went wrong.
Add regression test for #426
b6bc426
This issue was fixed by #518
This got assigned CVE-2018-19108.
piponazo
No branches or pull requests
There seems an infinite loop inside Exiv2::PsdImage::readMetadata at https://github.com/Exiv2/exiv2/blob/disable-printStructure/src/psdimage.cpp#L200-L233 (5940c6f).
It checks
while (resourcesLength > 0)at line 200,resourcesLengthis updated at line 232. However sometimesresourceNameLength + resourceSizemay be 0xfffffff4, and it will be truncated to 0 when adding 12, making the subtraction to have no effect.A concrete input is available h01 and h02.
The text was updated successfully, but these errors were encountered: