From 81ae213c7167261da710eef20a3405001f12aa84 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 15 May 2019 12:00:41 +0100 Subject: [PATCH] Check bounds of allocation size. (#848) --- src/pgfimage.cpp | 10 ++++++++-- test/data/issue_847_poc.pgf | Bin 0 -> 38 bytes tests/bugfixes/github/test_issue_847.py | 23 +++++++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 test/data/issue_847_poc.pgf create mode 100644 tests/bugfixes/github/test_issue_847.py diff --git a/src/pgfimage.cpp b/src/pgfimage.cpp index d7bbea3f..c78efdd5 100644 --- a/src/pgfimage.cpp +++ b/src/pgfimage.cpp @@ -31,6 +31,7 @@ #include "image.hpp" #include "pngimage.hpp" #include "basicio.hpp" +#include "enforce.hpp" #include "error.hpp" #include "futils.hpp" @@ -128,13 +129,18 @@ namespace Exiv2 { // And now, the most interresting, the user data byte array where metadata are stored as small image. - long size = 8 + headerSize - io_->tell(); + enforce(headerSize <= std::numeric_limits::max() - 8, kerCorruptedMetadata); +#if LONG_MAX < UINT_MAX + enforce(headerSize + 8 <= static_cast(std::numeric_limits::max()), + kerCorruptedMetadata); +#endif + long size = static_cast(headerSize) + 8 - io_->tell(); #ifdef DEBUG std::cout << "Exiv2::PgfImage::readMetadata: Found Image data (" << size << " bytes)\n"; #endif - if (size < 0) throw Error(kerInputDataReadFailed); + if (size < 0 || static_cast(size) > io_->size()) throw Error(kerInputDataReadFailed); if (size == 0) return; DataBuf imgData(size); diff --git a/test/data/issue_847_poc.pgf b/test/data/issue_847_poc.pgf new file mode 100644 index 0000000000000000000000000000000000000000..271cc239a556aadcfa26734cc8a7425827a35c8f GIT binary patch literal 38 jcmWG=chm1-U