-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix integer overflow #1536
Fix integer overflow #1536
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think your fix is more-or-less correct, so I will approve this. I'm happy if you wish to modify the PR after approval.
I've never looked at this code before. It's horrible. I suspect that if cc->size() is less than 28, we should parachute out of there. Something like:
if ((edX != edEnd || edY != edEnd || edO != edEnd) && cc->size >= 28 ) {
...
} else {
... remove some mysterious data ...
}
@clanmills: None of the existing tests fail if we disallow |
I'm going to open an issue for v1.00 to "properly" fix our 32/64 bit support. We announced in v0.27 (and the the five dots), that the API for v0.28 (now to be called v1.00) will change. There's a horrible mix of size_t, uint32_t, long, int, uint64_t in the API. Now is the time to fix that. I suspect the correct way forward is to use uint64_t everywhere. We don't have to worry much about performance because Exiv2 is very fast. We can open and read the metadata from about 100+ files/second on my 6 year old MacMini. |
b31acb1
to
9b7a19f
Compare
I made a few changes:
|
@kevinbackhouse Two tiny comments: python test symbol_name In your python test code, we normally use $symbol_name for error messages and file names. This enables us to change the text of an error message without modify any test scripts. This is achieved via tests/suite_conf. On Monday, I added test_issue_1522.py for the first of the three CVEs. You'll see the python defines stderr as:
Dan's test suite (in tests/system_tests.py), expands the three $symbol_names to match:
Working on exiv2/exiv2 |
@clanmills: sorry, I forgot about the $symbol_name feature. I'll fix that now. Regarding the branches, I don't have permission to create branches in the https://github.com/Exiv2/exiv2 repo. Or am I misunderstanding? |
51ee754
to
06d2db6
Compare
I replaced the hard-coded string with |
BTW, before I forget. Well done to spot that delete [] error. That's a common error that's hard to spot with the eye-ball. Did you find that with valgrind or something? I wouldn't bother with that string "Could not write metadata to file". It's an odd-ball/one-off kind of thing. The super important ones are $exiv2 $filename $kerMumbleJumble You're not a member! I've just given you write permission. I think you're good for the future. If you submit a new PR on exiv2/exiv2, I'll approve and merge the result. I suspect the security guys are going to drop another CVE on us early next week. When I'm certain that both your code and @pydera's code are merged, I'll cut v0.27.4 RC2. Great end to a very successful week. |
The |
I'll close this PR and reopen it from a branch on the exiv2 repo. |
This testing stuff really is a good idea. I don't know why it isn't more popular! Much the same with the seldom used team-work! |
Fixes #1530.
The problem is a negative integer overflow in
cc->size() - 8
(line 1193). In the test case, the value ofcc->size()
is 5.I'll add a regression test to this PR shortly.