From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Mon, 5 Jul 2021 10:39:08 +0100 Subject: [PATCH 1/2] Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 --- test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 | Bin 0 -> 32768 bytes .../github/test_issue_ghsa_583f_w9pm_99r2.py | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2 create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py new file mode 100644 index 000000000..808916aee --- /dev/null +++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- + +from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors + +class Jp2ImagePrintStructureICC(metaclass=CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2 + """ + url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2" + + filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2") + commands = ["$exiv2 -p C $filename"] + stdout = [""] + stderr = ["""Exiv2 exception in print action for file $filename: +$kerCorruptedMetadata +"""] + retval = [1] From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Mon, 5 Jul 2021 10:40:03 +0100 Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure --- src/jp2image.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/jp2image.cpp b/src/jp2image.cpp index 3bf356629..2d6dc2118 100644 --- a/src/jp2image.cpp +++ b/src/jp2image.cpp @@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m) if (subBox.type == kJp2BoxTypeColorHeader) { long pad = 3; // don't know why there are 3 padding bytes + enforce(data.size_ >= pad, kerCorruptedMetadata); if (bPrint) { out << " | pad:"; for (int i = 0; i < 3; i++) @@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m) if (bPrint) { out << " | iccLength:" << iccLength; } + enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata); if (bICC) { out.write((const char*)data.pData_ + pad, iccLength); }