third_party/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #2534 from kevinbackhouse/asfvideo-fix-int-overflow

Browse Source 
Fix integer overflow which enables enforce to be bypassed
This commit is contained in:
Kevin Backhouse 2023-03-05 07:43:41 +00:00 committed by GitHub
commit 3b0398ab20
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/asfvideo.cpp
View File

@ -249,13 +249,13 @@ AsfVideo::HeaderReader::HeaderReader(BasicIo::UniquePtr& io) : IdBuf_(GUID) {
} }
void AsfVideo::decodeBlock() { void AsfVideo::decodeBlock() {
Internal::enforce(GUID + QWORD + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata); Internal::enforce(GUID + QWORD <= io_->size() - io_->tell(), Exiv2::ErrorCode::kerCorruptedMetadata);
HeaderReader objectHeader(io_); HeaderReader objectHeader(io_);
#ifdef EXIV2_DEBUG_MESSAGES #ifdef EXIV2_DEBUG_MESSAGES
EXV_INFO << "decodeBlock = " << GUIDTag(objectHeader.getId().data()).to_string() EXV_INFO << "decodeBlock = " << GUIDTag(objectHeader.getId().data()).to_string()
<< "\tsize= " << objectHeader.getSize() << "\t " << io_->tell() << "/" << io_->size() << std::endl; << "\tsize= " << objectHeader.getSize() << "\t " << io_->tell() << "/" << io_->size() << std::endl;
#endif #endif
Internal::enforce(objectHeader.getSize() + io_->tell() <= io_->size(), Exiv2::ErrorCode::kerCorruptedMetadata); Internal::enforce(objectHeader.getSize() <= io_->size() - io_->tell(), Exiv2::ErrorCode::kerCorruptedMetadata);
auto tag = GUIDReferenceTags.find(GUIDTag(objectHeader.getId().data())); auto tag = GUIDReferenceTags.find(GUIDTag(objectHeader.getId().data()));
if (tag != GUIDReferenceTags.end()) { if (tag != GUIDReferenceTags.end()) {
@ -405,7 +405,7 @@ void AsfVideo::codecList() {
xmpData()[codec + std::string(".CodecDescription")] = readStringWcharTag(io_, codec_desc_length); xmpData()[codec + std::string(".CodecDescription")] = readStringWcharTag(io_, codec_desc_length);
uint16_t codec_info_length = readWORDTag(io_); uint16_t codec_info_length = readWORDTag(io_);
Internal::enforce(codec_info_length && codec_info_length + io_->tell() < io_->size(), Internal::enforce(codec_info_length && codec_info_length < io_->size() - io_->tell(),
Exiv2::ErrorCode::kerCorruptedMetadata); Exiv2::ErrorCode::kerCorruptedMetadata);
xmpData()[codec + std::string(".CodecInfo")] = readStringTag(io_, codec_info_length); xmpData()[codec + std::string(".CodecInfo")] = readStringTag(io_, codec_info_length);
} }