third_party/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
edb4bf78ca
exiv2/unitTests/test_basicio.cpp
Kevin Backhouse edb4bf78ca Add bounds check to MemIo::seek(). (#944) 
- Regression test for missing bounds check in MemIo::seek()
- Add bounds check to MemIo::seek(), this fixes CVE-2019-13504

(cherry picked from commit bd0afe0390439b2c424d881c8c6eb0c5624e31d9)

Additional fixes for 0.27:
- Add fix for the linux variant of MemIo::seek
- Change type of variable from unsigned to signed
2019-07-28 12:43:06 +02:00

78 lines
2.0 KiB
C++
Raw Blame History

#include <exiv2/basicio.hpp>
#include <gtest/gtest.h>
using namespace Exiv2;
TEST(MemIo, seek_out_of_bounds_00)
{
byte buf[1024];
memset(buf, 0, sizeof(buf));
MemIo io(buf, sizeof(buf));
ASSERT_FALSE(io.eof());
// Regression test for bug reported in https://github.com/Exiv2/exiv2/pull/945
// The problem is that MemIo::seek() does not check that the new offset is
// in bounds.
byte tmp[16];
ASSERT_EQ(io.seek(0x10000000, BasicIo::beg), 1);
ASSERT_TRUE(io.eof());
// The seek was invalid, so the offset didn't change and this read still works.
ASSERT_EQ(io.read(tmp, sizeof(tmp)), sizeof(tmp));
}
TEST(MemIo, seek_out_of_bounds_01)
{
byte buf[1024];
memset(buf, 0, sizeof(buf));
MemIo io(buf, sizeof(buf));
ASSERT_FALSE(io.eof());
byte tmp[16];
// Seek to the end of the file.
ASSERT_EQ(io.seek(0, BasicIo::end), 0);
ASSERT_EQ(io.read(tmp, sizeof(tmp)), 0);
// Try to seek past the end of the file.
ASSERT_EQ(io.seek(0x10000000, BasicIo::end), 1);
ASSERT_TRUE(io.eof());
ASSERT_EQ(io.read(tmp, sizeof(tmp)), 0);
}
TEST(MemIo, seek_out_of_bounds_02)
{
byte buf[1024];
memset(buf, 0, sizeof(buf));
MemIo io(buf, sizeof(buf));
ASSERT_FALSE(io.eof());
byte tmp[16];
// Try to seek past the end of the file.
ASSERT_EQ(io.seek(0x10000000, BasicIo::cur), 1);
ASSERT_TRUE(io.eof());
// The seek was invalid, so the offset didn't change and this read still works.
ASSERT_EQ(io.read(tmp, sizeof(tmp)), sizeof(tmp));
}
TEST(MemIo, seek_out_of_bounds_03)
{
byte buf[1024];
memset(buf, 0, sizeof(buf));
MemIo io(buf, sizeof(buf));
ASSERT_FALSE(io.eof());
byte tmp[16];
// Try to seek past the beginning of the file.
ASSERT_EQ(io.seek(-0x10000000, BasicIo::cur), 1);
ASSERT_FALSE(io.eof());
// The seek was invalid, so the offset didn't change and this read still works.
ASSERT_EQ(io.read(tmp, sizeof(tmp)), sizeof(tmp));
}
Reference in New Issue View Git Blame Copy Permalink