Skip to content

Commit

Permalink
Merge pull request #1888 from kevinbackhouse/FixIssue1887
Browse files Browse the repository at this point in the history
Avoid reading 1 byte off the end when the string does not contain a '\0' byte
  • Loading branch information
kevinbackhouse authored Sep 2, 2021
2 parents cb16324 + bd211a9 commit 7caf447
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 9 deletions.
15 changes: 6 additions & 9 deletions src/crwimage_int.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -826,22 +826,20 @@ namespace Exiv2 {
ExifKey key1("Exif.Image.Make");
Value::UniquePtr value1 = Value::create(ciffComponent.typeId());
uint32_t i = 0;
for (; i < ciffComponent.size()
&& ciffComponent.pData()[i] != '\0'; ++i) {
while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') {
// empty
}
value1->read(ciffComponent.pData(), ++i, byteOrder);
value1->read(ciffComponent.pData(), i, byteOrder);
image.exifData().add(key1, value1.get());

// Model
ExifKey key2("Exif.Image.Model");
Value::UniquePtr value2 = Value::create(ciffComponent.typeId());
uint32_t j = i;
for (; i < ciffComponent.size()
&& ciffComponent.pData()[i] != '\0'; ++i) {
while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') {
// empty
}
value2->read(ciffComponent.pData() + j, i - j + 1, byteOrder);
value2->read(ciffComponent.pData() + j, i - j, byteOrder);
image.exifData().add(key2, value2.get());
} // CrwMap::decode0x080a

Expand Down Expand Up @@ -979,11 +977,10 @@ namespace Exiv2 {
else if (ciffComponent.typeId() == asciiString) {
// determine size from the data, by looking for the first 0
uint32_t i = 0;
for (; i < ciffComponent.size()
&& ciffComponent.pData()[i] != '\0'; ++i) {
while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') {
// empty
}
size = ++i;
size = i;
}
else {
// by default, use the size from the directory entry
Expand Down
Binary file added test/data/issue_1887_poc.crw
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bugfixes/github/test_issue_1887.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-

from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors


class OutOfBoundsReadInCrwMapDecode0x080a(metaclass=CaseMeta):
"""
Regression test for the bug described in:
https://github.com/Exiv2/exiv2/issues/1887
"""
url = "https://github.com/Exiv2/exiv2/issues/1887"

filename = path("$data_path/issue_1887_poc.crw")
commands = ["$exiv2 $filename"]
stderr = [""]
retval = [0]

compare_stdout = check_no_ASAN_UBSAN_errors

0 comments on commit 7caf447

Please sign in to comment.