Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate reconstructed chunk sizes #848

Merged
merged 3 commits into from
Oct 12, 2020
Merged

Validate reconstructed chunk sizes #848

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63b65a4
validate chunk sizes when reconstructing offsets
peterhillman Oct 9, 2020
f2f10e3
validate file offset arithmetic during chunk reconstruction
peterhillman Oct 9, 2020
65d6730
Merge branch 'master' into validate_reconstructed_chunk_sizes
peterhillman Oct 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions OpenEXR/IlmImf/ImfDeepScanLineInputFile.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,17 @@ reconstructLineOffsets (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is,
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_offset);
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_sample);
//next is unpacked sample table size - skip this too

// check for bad values to prevent overflow
if (packed_offset < 0 ||
packed_sample < 0 ||
(INT64_MAX-packed_offset < packed_sample ) ||
(INT64_MAX-(packed_offset+packed_sample) < 8 ) )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}


Xdr::skip <StreamIO> (is, packed_offset+packed_sample+8);

if (lineOrder == INCREASING_Y)
Expand Down
34 changes: 31 additions & 3 deletions OpenEXR/IlmImf/ImfMultiPartInputFile.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,6 +655,11 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_sample);

//add 40 byte header to packed sizes (tile coordinates, packed sizes, unpacked size)
// check for bad values to prevent overflow
if ( (INT64_MAX - packed_offset < packed_sample) || ( INT64_MAX - (packed_offset + packed_sample) < 40ll) )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}
size_of_chunk=packed_offset+packed_sample + 40ll;
}
else
Expand All @@ -663,6 +668,12 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
// regular image has 20 bytes of header, 4 byte chunksize;
int chunksize;
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, chunksize);
// check for bad values to prevent overflow
if ( chunksize < 0 )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}

size_of_chunk=static_cast<Int64>(chunksize) + 20ll;
}
}
Expand Down Expand Up @@ -692,14 +703,27 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
Int64 packed_sample;
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_offset);
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_sample);



// check for bad values to prevent overflow
if ( packed_offset < 0 ||
packed_sample < 0 ||
(INT64_MAX - packed_offset < packed_sample) ||
( INT64_MAX - (packed_offset + packed_sample) < 28ll) )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}
size_of_chunk=packed_offset+packed_sample + 28ll;
}
else
{
int chunksize;
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, chunksize);

// check for bad values to prevent overflow
if ( chunksize < 0 )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}
size_of_chunk=static_cast<Int64>(chunksize) + 8ll;
}

Expand All @@ -709,7 +733,11 @@ MultiPartInputFile::Data::chunkOffsetReconstruction(OPENEXR_IMF_INTERNAL_NAMESPA
{
chunk_start+=4;
}


if ( (INT64_MAX - chunk_start) < size_of_chunk )
{
throw IEX_NAMESPACE::IoExc("File pointer overflow during reconstruction");
}
chunk_start+=size_of_chunk;

is.seekg(chunk_start);
Expand Down
5 changes: 5 additions & 0 deletions OpenEXR/IlmImf/ImfScanLineInputFile.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,11 @@ reconstructLineOffsets (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is,
int dataSize;
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, dataSize);

// check for bad values to prevent overflow
if ( dataSize < 0 )
{
throw IEX_NAMESPACE::IoExc("Invalid chunk size");
}
Xdr::skip <StreamIO> (is, dataSize);

if (lineOrder == INCREASING_Y)
Expand Down
22 changes: 19 additions & 3 deletions OpenEXR/IlmImf/ImfTileOffsets.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,14 +150,30 @@ TileOffsets::findTiles (OPENEXR_IMF_INTERNAL_NAMESPACE::IStream &is, bool isMult
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_offset_table_size);
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, packed_sample_size);

// check for bad values to prevent overflow
if ( packed_offset_table_size < 0 ||
packed_sample_size < 0 ||
( INT64_MAX - packed_offset_table_size < packed_sample_size) ||
( INT64_MAX - (packed_offset_table_size + packed_sample_size) ) < 8 )
{
throw IEX_NAMESPACE::IoExc("Invalid deep tile size");
}

// next Int64 is unpacked sample size - skip that too
Xdr::skip <StreamIO> (is, packed_offset_table_size+packed_sample_size+8);

}else{

int dataSize;
}
else
{
int dataSize;
OPENEXR_IMF_INTERNAL_NAMESPACE::Xdr::read <OPENEXR_IMF_INTERNAL_NAMESPACE::StreamIO> (is, dataSize);

// check for bad values to prevent overflow
if ( dataSize < 0 )
{
throw IEX_NAMESPACE::IoExc("Invalid tile size");
}

Xdr::skip <StreamIO> (is, dataSize);
}
if (skipOnly) continue;
Expand Down