From 1647908e00a4df7246d76678e59587e62c690dcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Walenciak?= <Kicer86@gmail.com>
Date: Sat, 13 Jan 2018 11:44:31 +0100
Subject: [PATCH 1/5] fix for crash in bigtiff (issue #208)

---
 src/bigtiffimage.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp
index 0d1c7b22..ebd08d14 100644
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@@ -110,14 +110,16 @@ namespace Exiv2
                 byte buffer[8];
                 io.read(buffer, 2);
                 const int size = getUShort(buffer, byteOrder);
-                assert(size == 8);
 
-                io.read(buffer, 2); // null
+                if (size == 8)
+                {
+                    io.read(buffer, 2); // null
 
-                io.read(buffer, 8);
-                const uint64_t offset = getULongLong(buffer, byteOrder);
+                    io.read(buffer, 8);
+                    const uint64_t offset = getULongLong(buffer, byteOrder);
 
-                result = Header(byteOrder, magic, size, offset);
+                    result = Header(byteOrder, magic, size, offset);
+                }
             }
 
             return result;

From dba9fba725d54e9b18d239c3fc3f8f536ea2ad9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Walenciak?= <Kicer86@gmail.com>
Date: Sat, 13 Jan 2018 15:52:50 +0100
Subject: [PATCH 2/5] test for issue #208

---
 test/data/2018-01-09-exiv2-crash-001.tiff | Bin 0 -> 188 bytes
 tests/bugfixes/github/test_issue_208.py   |  16 ++++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 test/data/2018-01-09-exiv2-crash-001.tiff
 create mode 100644 tests/bugfixes/github/test_issue_208.py

diff --git a/test/data/2018-01-09-exiv2-crash-001.tiff b/test/data/2018-01-09-exiv2-crash-001.tiff
new file mode 100644
index 0000000000000000000000000000000000000000..8f78f73c50d73b0f7e9ea9d8c4c2d0de72875c0f
GIT binary patch
literal 188
zcmebD)MjA#|DS<Dgn^M!n2`YjSfDf)BQtXY!#f~Ph>;mc3IG*=)PS%UBl8y!m*fBc
z|5A($kN*n*1^In}1O&W<(lJ09q+W%Q1w?;kn9abT!T9n&kbRgfg@I8MXfhK6$VNs6
hL&o3#IT=KOA|M@5@DNCYxXYn*P-2BqNoJZ00|1B?7(oC4

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_issue_208.py b/tests/bugfixes/github/test_issue_208.py
new file mode 100644
index 00000000..4f513a33
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_208.py
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class CVE_2017_14857(system_tests.Case):
+
+    filename = "{data_path}/2018-01-09-exiv2-crash-001.tiff"
+    commands = ["{exiv2} " + filename]
+    retval = [1]
+    stdout = [""]
+    stderr = [
+        """{exiv2_exception_msg} """ + filename + """:
+""" + filename + """: The file contains data of an unknown image type"""
+]
+

From 421c6d6723afb040ec669217a24b6cc5b7fe4d4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Walenciak?= <Kicer86@gmail.com>
Date: Sun, 14 Jan 2018 08:24:26 +0100
Subject: [PATCH 3/5] improvements for issue #208

---
 src/bigtiffimage.cpp                    | 8 +++++++-
 tests/bugfixes/github/test_issue_208.py | 4 ++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp
index ebd08d14..0ad7e99f 100644
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@@ -5,6 +5,7 @@
 #include <limits>
 
 #include "exif.hpp"
+#include "error.hpp"
 #include "image_int.hpp"
 
 
@@ -107,7 +108,7 @@ namespace Exiv2
             }
             else
             {
-                byte buffer[8];
+                byte buffer[8] = {0, 0, 0, 0, 0, 0, 0, 0};
                 io.read(buffer, 2);
                 const int size = getUShort(buffer, byteOrder);
 
@@ -118,8 +119,13 @@ namespace Exiv2
                     io.read(buffer, 8);
                     const uint64_t offset = getULongLong(buffer, byteOrder);
 
+                    if (offset >= io.size())
+                        throw Exiv2::Error(58);
+
                     result = Header(byteOrder, magic, size, offset);
                 }
+                else
+                    throw Exiv2::Error(58);
             }
 
             return result;
diff --git a/tests/bugfixes/github/test_issue_208.py b/tests/bugfixes/github/test_issue_208.py
index 4f513a33..80f88619 100644
--- a/tests/bugfixes/github/test_issue_208.py
+++ b/tests/bugfixes/github/test_issue_208.py
@@ -11,6 +11,6 @@ class CVE_2017_14857(system_tests.Case):
     stdout = [""]
     stderr = [
         """{exiv2_exception_msg} """ + filename + """:
-""" + filename + """: The file contains data of an unknown image type"""
-]
+{error_58_message}
+"""]
 

From 24348e85ca873e8b4509964be4ffccc5b3612133 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Walenciak?= <Kicer86@gmail.com>
Date: Mon, 15 Jan 2018 21:44:41 +0100
Subject: [PATCH 4/5] checks for valid reads

---
 src/bigtiffimage.cpp | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp
index 0ad7e99f..505553c3 100644
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@@ -89,7 +89,9 @@ namespace Exiv2
                 return Header();
 
             byte version[2];
-            io.read(version, 2);
+            int read = io.read(version, 2);
+            if (read < 2)
+                throw Exiv2::Error(58);
 
             const uint16_t magic = getUShort(version, byteOrder);
 
@@ -103,6 +105,9 @@ namespace Exiv2
                 byte buffer[4];
                 io.read(buffer, 4);
 
+                if (read < 4)
+                    throw Exiv2::Error(58);
+
                 const uint32_t offset = getULong(buffer, byteOrder);
                 result = Header(byteOrder, magic, 4, offset);
             }
@@ -110,13 +115,21 @@ namespace Exiv2
             {
                 byte buffer[8] = {0, 0, 0, 0, 0, 0, 0, 0};
                 io.read(buffer, 2);
+                if (read < 2)
+                    throw Exiv2::Error(58);
+
                 const int size = getUShort(buffer, byteOrder);
 
                 if (size == 8)
                 {
-                    io.read(buffer, 2); // null
+                    read = io.read(buffer, 2); // null
+                    if (read < 2)
+                        throw Exiv2::Error(58);
+
+                    read = io.read(buffer, 8);
+                    if (read < 8)
+                        throw Exiv2::Error(58);
 
-                    io.read(buffer, 8);
                     const uint64_t offset = getULongLong(buffer, byteOrder);
 
                     if (offset >= io.size())

From d219e61586d49fae4f7e1788e6e60541bfaa68f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Walenciak?= <Kicer86@gmail.com>
Date: Wed, 17 Jan 2018 19:07:41 +0100
Subject: [PATCH 5/5] be more error prone

---
 src/bigtiffimage.cpp | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/bigtiffimage.cpp b/src/bigtiffimage.cpp
index 505553c3..78b8166a 100644
--- a/src/bigtiffimage.cpp
+++ b/src/bigtiffimage.cpp
@@ -76,7 +76,7 @@ namespace Exiv2
 
         Header readHeader(BasicIo& io)
         {
-            byte header[2];
+            byte header[2] = {0, 0};
             io.read(header, 2);
 
             ByteOrder byteOrder = invalidByteOrder;
@@ -88,10 +88,8 @@ namespace Exiv2
             if (byteOrder == invalidByteOrder)
                 return Header();
 
-            byte version[2];
-            int read = io.read(version, 2);
-            if (read < 2)
-                throw Exiv2::Error(58);
+            byte version[2] = {0, 0};
+            io.read(version, 2);
 
             const uint16_t magic = getUShort(version, byteOrder);
 
@@ -103,7 +101,7 @@ namespace Exiv2
             if (magic == 0x2A)
             {
                 byte buffer[4];
-                io.read(buffer, 4);
+                int read = io.read(buffer, 4);
 
                 if (read < 4)
                     throw Exiv2::Error(58);
@@ -114,7 +112,7 @@ namespace Exiv2
             else
             {
                 byte buffer[8] = {0, 0, 0, 0, 0, 0, 0, 0};
-                io.read(buffer, 2);
+                int read = io.read(buffer, 2);
                 if (read < 2)
                     throw Exiv2::Error(58);