From 70567edd9fc8753cc176de02b1d96f504a14e82c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= Date: Sun, 26 Mar 2017 01:10:11 -0400 Subject: [PATCH 2/5] Bug 100397 - Fix crash on malformed JPEG file --- source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp | 10 +++++++--- source/XMPFiles/FormatSupport/TIFF_Support.hpp | 13 ++++++++++++- source/common/EndianUtils.hpp | 9 +++++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp index 316cea0..1446cb4 100644 --- a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp +++ b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp @@ -65,7 +65,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) } else if ( thisTag == prevTag ) { // Duplicate tag, keep the 2nd copy, move the tail of the array up, prevTag is unchanged. - memcpy ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // AUDIT: Safe, moving tail forward, i >= 1. + memmove ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // may overlap -- Hub --tagCount; --i; // ! Don't move forward in the array, we've moved the unseen part up. @@ -81,7 +81,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) // Out of order duplicate, move it to position j, move the tail of the array up. ifdEntries[j] = ifdEntries[i]; - memcpy ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // AUDIT: Safe, moving tail forward, i >= 1. + memmove ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // may overlap -- Hub --tagCount; --i; // ! Don't move forward in the array, we've moved the unseen part up. @@ -212,7 +212,11 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con info->dataLen = thisTag->bytes; info->dataPtr = this->GetDataPtr ( thisTag ); - + // Here we know that if it is NULL, it is wrong. -- Hub + // GetDataPtr will return NULL in case of overflow. + if (info->dataPtr == NULL) { + return false; + } } return true; diff --git a/source/XMPFiles/FormatSupport/TIFF_Support.hpp b/source/XMPFiles/FormatSupport/TIFF_Support.hpp index 9af76c4..95badba 100644 --- a/source/XMPFiles/FormatSupport/TIFF_Support.hpp +++ b/source/XMPFiles/FormatSupport/TIFF_Support.hpp @@ -723,7 +723,18 @@ private: const TweakedIFDEntry* FindTagInIFD ( XMP_Uns8 ifd, XMP_Uns16 id ) const; const inline void* GetDataPtr ( const TweakedIFDEntry* tifdEntry ) const - { if ( tifdEntry->bytes <= 4 ) return &tifdEntry->dataOrPos; else return (this->tiffStream + tifdEntry->dataOrPos); }; + { if ( GetUns32AsIs(&tifdEntry->bytes) <= 4 ) { + return &tifdEntry->dataOrPos; + } else { + XMP_Uns32 pos = GetUns32AsIs(&tifdEntry->dataOrPos); + if (pos + GetUns32AsIs(&tifdEntry->bytes) > this->tiffLength) { + // Invalid file. + // The data is past the length of the TIFF. + return NULL; + } + return (this->tiffStream + pos); + } + } static inline void NotAppropriate() { XMP_Throw ( "Not appropriate for TIFF_Reader", kXMPErr_InternalFailure ); }; diff --git a/source/common/EndianUtils.hpp b/source/common/EndianUtils.hpp index 59e2e32..0e2e2fe 100644 --- a/source/common/EndianUtils.hpp +++ b/source/common/EndianUtils.hpp @@ -148,6 +148,15 @@ GetUns32LE ( const void * addr ) // ------------------------------------------------------------------------------------------------- +static inline XMP_Uns32 +GetUns32AsIs ( const void * addr ) +{ + XMP_Uns32 value = *((XMP_Uns32*)addr); + return value; // Use this to avoid SPARC failure to handle unaligned loads and stores. +} + +// ------------------------------------------------------------------------------------------------- + static inline XMP_Uns64 GetUns64BE ( const void * addr ) { -- 2.17.2