-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bufRead needs to be adjusted after seek() #1790
bufRead needs to be adjusted after seek() #1790
Conversation
I converted this PR to draft because I'd like to do some further clean-up in |
1c67748
to
566b9fb
Compare
I spent some more time looking at this and ended up doing a major overhaul of the code in this file, which you can see in the third commit. I believe the new code behaves exactly as before, except for one place where I made a minor change to the output by fixing a (benign) out-of-bounds read and another place where I fixed a bug in some code that unfortunately seems to be untested. In the original code, a variable called Looking at the code, I was puzzled by the hard-coded number 36. JPG files are divided into segments, each of which starts with a "marker". The code seems to assume that every segment is at least 36 bytes long, which isn't actually true. In other words, it possible for the So I have concluded that the number 36 is a hack which ought to be fixed. I have replaced it with logic which (hopefully) correctly calculates the size of the payload, allocates a buffer of the corresponding size, and then reads the whole payload. As a side-effect, this has also enabled me to remove most of the calls to It turns out that this file already contained all the necessary logic to calculate the size of the payload, but it wasn't used systematically throughout the code. There are two steps:
I have duplicated the code which calculates the size of the payload and loads it into a buffer in the 4 source locations where segments are parsed. I duplicated the code because I can't create a shared utility function without modifying the header files on the The change in the expected output in The second bug that I fixed is on line 860. I believe that calculation is wrong. It is causing a negative number to be calculated on line 879, which causes a crash in the subsequent memory allocation. Unfortunately, that code is not covered by any of our tests, so I can't be completely sure what the expected behavior is. (I found the crash by fuzzing.) |
@kevinbackhouse This is really good stuff, Kev. Thank You for digging into this. I will be very happy if somebody else reviews this. If nobody volunteers by 2021-08-01, please email me and I will get involved. robin@clanmills.com |
Co-authored-by: Christoph Hasse <hassec@users.noreply.github.com>
93d96ad
to
b5cbb47
Compare
bufRead needs to be adjusted after seek() (backport #1790)
Fixes: GHSA-mvc4-g5pv-4qqq
It looks to me like the intention of this code is that
bufRead
tracks the current position in the file, so it needs to be updated after every call toread()
orseek()
. There was a missing update which caused an infinite loop.