From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 30 Jun 2021 16:47:12 +0100 Subject: [PATCH 1/2] Regression test for https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v --- test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes .../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py new file mode 100644 index 0000000000..8f8b6676cf --- /dev/null +++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- + +from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors +@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") + +class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta): + """ + Regression test for the bug described in: + https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v + """ + url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v" + + filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2") + commands = ["$exiv2 rm $filename"] + stdout = [""] + retval = [0] + + compare_stderr = check_no_ASAN_UBSAN_errors From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 30 Jun 2021 16:47:50 +0100 Subject: [PATCH 2/2] Fix incorrect loop condition. --- src/jp2image.cpp | 6 ++++-- .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/jp2image.cpp b/src/jp2image.cpp index b6a388542f..3bf3566294 100644 --- a/src/jp2image.cpp +++ b/src/jp2image.cpp @@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m) char* p = (char*) boxBuf.pData_; bool bWroteColor = false ; - while ( count < length || !bWroteColor ) { + while ( count < length && !bWroteColor ) { enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; // copy data. pointer could be into a memory mapped file which we will decode! - Jp2BoxHeader subBox = *pSubBox ; + // pSubBox isn't always an aligned pointer, so use memcpy to do the copy. + Jp2BoxHeader subBox; + memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader)); Jp2BoxHeader newBox = subBox; if ( count < length ) { diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py index c98b3815eb..44f6a906cb 100644 --- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py +++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- -from system_tests import CaseMeta, path - +from system_tests import CaseMeta, CopyTmpFiles, path +@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): """ @@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta): """ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj" - filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") - filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") + filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2") + filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv") commands = ["$exiv2 in $filename1"] stdout = [""] stderr = [ """Error: XMP Toolkit error 201: XML parsing failure Warning: Failed to decode XMP metadata. -$filename1: Could not write metadata to file: $kerCorruptedMetadata """] - retval = [1] + retval = [0]