New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid negative integer overflow when filesize < io_->tell() #797
Avoid negative integer overflow when filesize < io_->tell() #797
Conversation
8d677ef
to
7265293
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice idea! Ideally we could start replacing step by step the old usages of read by this new readOrThrow so that we are always sure about checking the whether the read operation succeed.
I would even vote for not having the 3rd argument and always throw the same kind of error (Exiv2::kerCorruptedMetadata) .
I would also like to see @D4N 's opinion in this matter.
|
I like this new API and will follow up with a proper review hopefully in the next few days. I have two comments:
|
|
I agree with @D4N Please don't make API changes on 0.27-maintenance. In fact, I should open an issue on myself to investigate if we made API changes in 0.27.1 and I'll update the release process to verify that we haven't introduced changes. The aim of the v0.27-dots is to avoid API changes so security fixes can be provided by swapping DLLs without recompiling applications. |
|
I also agree with @D4N comments:
|
|
Can we use a macro or template to implement |
7265293
to
d05beb4
Compare
Codecov Report
@@ Coverage Diff @@
## 0.27-maintenance #797 +/- ##
====================================================
+ Coverage 62.68% 62.69% +0.01%
====================================================
Files 156 156
Lines 21545 21554 +9
====================================================
+ Hits 13505 13514 +9
Misses 8040 8040
Continue to review full report at Codecov.
|
|
I changed this to avoid the API change by making |
5ee52b2
to
d3c3f85
Compare
|
Hi @kevinbackhouse , as I commented in #813 the build on windows is not passing: If you do not have a windows development environment let me know and I'll take a look at it. |
|
@piponazo: I have pushed a commit to fix this. The problem is that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks good to me for 0.27-maintenance, I've added a few notes concerning the overflow checks.
src/webpimage.cpp
Outdated
|
|
||
| const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8; | ||
| enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata); | ||
| const long filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment in #813, use Safe::add.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
src/webpimage.cpp
Outdated
| readOrThrow(*io_, chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); | ||
| readOrThrow(*io_, size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata); | ||
| const long size = Exiv2::getULong(size_buff, littleEndian); | ||
| enforce(0 <= size, Exiv2::kerCorruptedMetadata); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my comment in #813, this is relying on undefined behavior. To properly check this, you must do something like this:
const uint32_t size = Exiv2::getULong(size_buff, littleEndian);
enforce(size < std::numeric_limits<long>::max(), Exiv2::kerCorruptedMetadata);
const long long_size = size;There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
0b0fa51
to
930f903
Compare
Co-Authored-By: kevinbackhouse <kev@semmle.com>
930f903
to
51e5d69
Compare
Most of the suggestions have been addressed
This fixes #791.
I added a new utility function to
BasicIOto make it more convenient to readrcountbytes and throw an exception if not enough bytes are available. I called itreadOrThrowbecause I couldn't think of a good name for it.