Don't allow zero width/height in WebPImage::inject_VP8X

2022-09-05 23:43:35 +01:00 · 2022-09-05 23:43:35 +01:00 · bf151a17a3
commit bf151a17a3
parent 175e609ad0
4 changed files with 23 additions and 0 deletions
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@ -752,12 +752,14 @@ void WebPImage::inject_VP8X(BasicIo& iIo, bool has_xmp, bool has_exif, bool has_
  }

  /* set width - stored in 24bits*/
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
  uint32_t w = width - 1;
  data[4] = w & 0xFF;
  data[5] = (w >> 8) & 0xFF;
  data[6] = (w >> 16) & 0xFF;

  /* set height - stored in 24bits */
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
  uint32_t h = height - 1;
  data[7] = h & 0xFF;
  data[8] = (h >> 8) & 0xFF;
--- a/test/data/issue_2270_poc.webp
+++ b/test/data/issue_2270_poc.webp
--- a/tests/bugfixes/github/test_issue_2270.py
+++ b/tests/bugfixes/github/test_issue_2270.py
@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_2270_poc.webp")
+
+class WebPImage_inject_VP8X_integer_overflow(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/2270
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/2270"
+
+    filename = path("$tmp_path/issue_2270_poc.webp")
+    commands = ["$exiv2 rm $filename"]
+    stdout = [""]
+    stderr = [
+        """$exception_in_erase """ + filename + """:
+$kerCorruptedMetadata
+"""]
+    retval = [1]
--- a/tests/regression_tests/test_regression_allfiles.py
+++ b/tests/regression_tests/test_regression_allfiles.py
@ -94,6 +94,7 @@ def get_valid_files(data_dir):
        "issue_2160_poc.jpg",
        "issue_2178_poc.jp2",
        "issue_2268_poc.jp2",
+        "issue_2270_poc.webp",
        "issue_2320_poc.jpg",
        "issue_2339_poc.tiff",
        "issue_ghsa_583f_w9pm_99r2_poc.jp2",