From bc480dcc499cfb98d94f39b76fb04ddf04f4ece0 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 1 Sep 2021 21:46:01 +0100 Subject: [PATCH 1/2] Regression test for https://github.com/Exiv2/exiv2/issues/1887 (cherry picked from commit 9c4f9c713f4f22eba7fd2854a617533c832714ee) --- test/data/issue_1887_poc.crw | Bin 0 -> 102 bytes tests/bugfixes/github/test_issue_1887.py | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 test/data/issue_1887_poc.crw create mode 100644 tests/bugfixes/github/test_issue_1887.py diff --git a/test/data/issue_1887_poc.crw b/test/data/issue_1887_poc.crw new file mode 100644 index 0000000000000000000000000000000000000000..bfbdc103e95176879bc384c0f40962bb98dbf02f GIT binary patch literal 102 zcmebDRA69W@NjhuaCUYH`hR2E|F>L!{&O+x`k&SO=J)^mj124=vOpD@Knww)Fa`r7 Zg!P}H4#;3)I3Nv^;o< Date: Thu, 2 Sep 2021 10:26:08 +0100 Subject: [PATCH 2/2] Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37889 Avoid reading 1 byte off the end when the string does not contain a '\0' byte. (cherry picked from commit bd211a90ac3c383b13db7f42f18c3dd7cb717192) --- src/crwimage_int.cpp | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp index 07c9e7b006..2629197851 100644 --- a/src/crwimage_int.cpp +++ b/src/crwimage_int.cpp @@ -847,22 +847,20 @@ namespace Exiv2 { ExifKey key1("Exif.Image.Make"); Value::AutoPtr value1 = Value::create(ciffComponent.typeId()); uint32_t i = 0; - for (; i < ciffComponent.size() - && ciffComponent.pData()[i] != '\0'; ++i) { + while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') { // empty } - value1->read(ciffComponent.pData(), ++i, byteOrder); + value1->read(ciffComponent.pData(), i, byteOrder); image.exifData().add(key1, value1.get()); // Model ExifKey key2("Exif.Image.Model"); Value::AutoPtr value2 = Value::create(ciffComponent.typeId()); uint32_t j = i; - for (; i < ciffComponent.size() - && ciffComponent.pData()[i] != '\0'; ++i) { + while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') { // empty } - value2->read(ciffComponent.pData() + j, i - j + 1, byteOrder); + value2->read(ciffComponent.pData() + j, i - j, byteOrder); image.exifData().add(key2, value2.get()); } // CrwMap::decode0x080a @@ -1000,11 +998,10 @@ namespace Exiv2 { else if (ciffComponent.typeId() == asciiString) { // determine size from the data, by looking for the first 0 uint32_t i = 0; - for (; i < ciffComponent.size() - && ciffComponent.pData()[i] != '\0'; ++i) { + while (i < ciffComponent.size() && ciffComponent.pData()[i++] != '\0') { // empty } - size = ++i; + size = i; } else { // by default, use the size from the directory entry