Merge pull request #1921 from kevinbackhouse/FixIssue1920

Fix UBSAN failure caused by left-shift of negative number
2021-10-04 10:59:27 +01:00 · 2021-10-04 10:59:27 +01:00 · be5a01f0b2
commit be5a01f0b2
parent 6de681538b 83b9944cdd
4 changed files with 42 additions and 1 deletions
--- a/.github/codeql-queries/exiv2-cpp-queries/signed_shift.ql
+++ b/.github/codeql-queries/exiv2-cpp-queries/signed_shift.ql
@ -0,0 +1,24 @@
+/**
+ * @name Signed shift
+ * @description Shifting a negative number is undefined behavior,
+ *              so it is risky to shift a signed number.
+ * @kind problem
+ * @problem.severity warning
+ * @id cpp/signed-shift
+ * @tags security
+ *       external/cwe/cwe-758
+ */
+
+// See the "Bitwise shift operators" section here:
+// https://en.cppreference.com/w/cpp/language/operator_arithmetic
+import cpp
+import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+
+from BinaryBitwiseOperation shift, Expr lhs
+where
+  (shift instanceof LShiftExpr or shift instanceof RShiftExpr) and
+  lhs = shift.getLeftOperand().getFullyConverted() and
+  lowerBound(lhs) < 0
+select shift,
+  "This signed shift could cause undefined behavior if the value is negative. Type of lhs: " +
+    lhs.getType().toString()
--- a/src/pentaxmn_int.cpp
+++ b/src/pentaxmn_int.cpp
@ -1036,7 +1036,7 @@ namespace Exiv2 {
    std::ostream& PentaxMakerNote::printDate(std::ostream& os, const Value& value, const ExifData*)
    {
        /* I choose same format as is used inside EXIF itself */
-        os << ((value.toLong(0) << 8) + value.toLong(1));
+        os << ((static_cast<uint16_t>(value.toLong(0)) << 8) + value.toLong(1));
        os << ":";
        os << std::setw(2) << std::setfill('0') << value.toLong(2);
        os << ":";
--- a/test/data/issue_1920_poc.tiff
+++ b/test/data/issue_1920_poc.tiff
--- a/tests/bugfixes/github/test_issue_1920.py
+++ b/tests/bugfixes/github/test_issue_1920.py
@ -0,0 +1,17 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors
+
+class PentaxMakerNotePrintTimeSignedLeftShift(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/1920
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/1920"
+
+    filename = path("$data_path/issue_1920_poc.tiff")
+    commands = ["$exiv2 -q -Pt $filename"]
+    stderr = [""]
+    retval = [0]
+
+    compare_stdout = check_no_ASAN_UBSAN_errors