Merge pull request #212 from Kicer86/master

fix for crash in bigtiff (issue #208)
2018-02-01 15:13:12 +00:00 · 2018-02-01 15:13:12 +00:00 · 7f56236bb8
commit 7f56236bb8
parent 5f360a99af a1f1989cb5
3 changed files with 45 additions and 10 deletions
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@ -5,6 +5,7 @@
 #include <limits>

 #include "exif.hpp"
+#include "error.hpp"
 #include "image_int.hpp"


@ -75,7 +76,7 @@ namespace Exiv2

        Header readHeader(BasicIo& io)
        {
-            byte header[2];
+            byte header[2] = {0, 0};
            io.read(header, 2);

            ByteOrder byteOrder = invalidByteOrder;
@ -87,7 +88,7 @@ namespace Exiv2
            if (byteOrder == invalidByteOrder)
                return Header();

-            byte version[2];
+            byte version[2] = {0, 0};
            io.read(version, 2);

            const uint16_t magic = getUShort(version, byteOrder);
@ -100,24 +101,42 @@ namespace Exiv2
            if (magic == 0x2A)
            {
                byte buffer[4];
-                io.read(buffer, 4);
+                int read = io.read(buffer, 4);
+
+                if (read < 4)
+                    throw Exiv2::Error(58);

                const uint32_t offset = getULong(buffer, byteOrder);
                result = Header(byteOrder, magic, 4, offset);
            }
            else
            {
-                byte buffer[8];
-                io.read(buffer, 2);
+                byte buffer[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+                int read = io.read(buffer, 2);
+                if (read < 2)
+                    throw Exiv2::Error(58);
+
                const int size = getUShort(buffer, byteOrder);
-                assert(size == 8);

-                io.read(buffer, 2); // null
+                if (size == 8)
+                {
+                    read = io.read(buffer, 2); // null
+                    if (read < 2)
+                        throw Exiv2::Error(58);

-                io.read(buffer, 8);
-                const uint64_t offset = getULongLong(buffer, byteOrder);
+                    read = io.read(buffer, 8);
+                    if (read < 8)
+                        throw Exiv2::Error(58);

-                result = Header(byteOrder, magic, size, offset);
+                    const uint64_t offset = getULongLong(buffer, byteOrder);
+
+                    if (offset >= io.size())
+                        throw Exiv2::Error(58);
+
+                    result = Header(byteOrder, magic, size, offset);
+                }
+                else
+                    throw Exiv2::Error(58);
            }

            return result;
--- a/test/data/2018-01-09-exiv2-crash-001.tiff
+++ b/test/data/2018-01-09-exiv2-crash-001.tiff
--- a/tests/bugfixes/github/test_issue_208.py
+++ b/tests/bugfixes/github/test_issue_208.py
@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class CVE_2017_14857(system_tests.Case):
+
+    filename = "{data_path}/2018-01-09-exiv2-crash-001.tiff"
+    commands = ["{exiv2} " + filename]
+    retval = [1]
+    stdout = [""]
+    stderr = [
+        """{exiv2_exception_msg} """ + filename + """:
+{error_58_message}
+"""]
+