Fix #1011 fix_1011_jp2_readmetadata_loop

2019-10-01 17:39:44 +01:00 · 2019-10-01 17:39:44 +01:00 · 1b917c3f7d
commit 1b917c3f7d
parent a30027c64a
4 changed files with 35 additions and 7 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -18,10 +18,6 @@
 * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
 */

-/*
-  File:      jp2image.cpp
-*/
-
 // *****************************************************************************

 // included header files
@ -197,6 +193,16 @@ namespace Exiv2
        return result;
    }

+static void boxes_check(size_t b,size_t m)
+{
+    if ( b > m ) {
+#ifdef EXIV2_DEBUG_MESSAGES
+        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+        throw Error(kerCorruptedMetadata);
+    }
+}
+
    void Jp2Image::readMetadata()
    {
 #ifdef EXIV2_DEBUG_MESSAGES
@ -219,9 +225,12 @@ namespace Exiv2
        Jp2BoxHeader      subBox    = {0,0};
        Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
        Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+        size_t            boxes     = 0 ;
+        size_t            boxem     = 1000 ; // boxes max

        while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
        {
+            boxes_check(boxes++,boxem );
            position   = io_->tell();
            box.length = getLong((byte*)&box.length, bigEndian);
            box.type   = getLong((byte*)&box.type, bigEndian);
@ -251,8 +260,12 @@ namespace Exiv2

                    while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
                    {
+                        boxes_check(boxes++, boxem) ;
                        subBox.length = getLong((byte*)&subBox.length, bigEndian);
                        subBox.type   = getLong((byte*)&subBox.type, bigEndian);
+                        if (subBox.length > io_->size() ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
 #ifdef EXIV2_DEBUG_MESSAGES
                        std::cout << "Exiv2::Jp2Image::readMetadata: "
                        << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
@ -308,7 +321,9 @@ namespace Exiv2
                        }

                        io_->seek(restore,BasicIo::beg);
-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
+                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
                        restore = io_->tell();
                    }
                    break;
--- a/test/data/Jp2Image_readMetadata_loop.poc
+++ b/test/data/Jp2Image_readMetadata_loop.poc
--- a/tests/bugfixes/github/test_CVE_2017_17725.py
+++ b/tests/bugfixes/github/test_CVE_2017_17725.py
@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
    filename = "$data_path/poc_2017-12-12_issue188"
    commands = ["$exiv2 " + filename]
    stdout = [""]
-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
-$addition_overflow_message
+    stderr = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
 """]
    retval = [1]
--- a/tests/bugfixes/github/test_issue_1011.py
+++ b/tests/bugfixes/github/test_issue_1011.py
@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+class Test_issue_1011(metaclass=CaseMeta):
+
+    filename = path("$data_path/Jp2Image_readMetadata_loop.poc")
+    commands = ["$exiv2 " + filename]
+    stdout   = [""]
+    stderr   = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
+"""]
+    retval = [1]