[SCM] exiv2 packaging branch, master, updated. debian/0.25-3.1-3734-gdcbc29a
Maximiliano Curia
maxy at moszumanska.debian.org
Thu Jul 13 17:43:38 UTC 2017
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-extras/exiv2.git;a=commitdiff;h=c664019
The following commit has been merged in the master branch:
commit c6640197f3715554132268bceefd6019c531bdf9
Author: Abhinav Badola <mail.abu.to at gmail.com>
Date: Wed Mar 13 21:45:51 2013 +0000
#890: Corrected the case of heap overflow if dataLength>500 in asfvideo.cpp, quicktimevideo.cpp
---
src/asfvideo.cpp | 42 +++++++++++++++++++++++++++++++++++++--
src/quicktimevideo.cpp | 53 +++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 92 insertions(+), 3 deletions(-)
diff --git a/src/asfvideo.cpp b/src/asfvideo.cpp
index 817618d..e2ec2f5 100644
--- a/src/asfvideo.cpp
+++ b/src/asfvideo.cpp
@@ -596,7 +596,7 @@ namespace Exiv2 {
void AsfVideo::metadataHandler(int meta)
{
- DataBuf buf(500);
+ DataBuf buf(5000);
io_->read(buf.pData_, 2);
int recordCount = Exiv2::getUShort(buf.pData_, littleEndian), nameLength = 0, dataLength = 0, dataType = 0;
Exiv2::Value::AutoPtr v = Exiv2::Value::create(Exiv2::xmpSeq);
@@ -614,20 +614,48 @@ namespace Exiv2 {
io_->read(buf.pData_, 4);
dataLength = Exiv2::getULong(buf.pData_, littleEndian);
+ if (nameLength > 5000) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video.Metadata nameLength was found to be larger than 5000 "
+ << " entries considered invalid; not read.
";
+#endif
+ io_->seek(io_->tell() + nameLength, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, nameLength);
+
v->read(toString16(buf));
if(dataType == 6) {
io_->read(guidBuf, 16);
getGUID(guidBuf, fileID);
}
else
- io_->read(buf.pData_, dataLength);
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 5000) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video.Metadata dataLength was found to be larger than 5000 "
+ << " entries considered invalid; not read.
";
+#endif
+ io_->seek(io_->tell() + dataLength, BasicIo::beg);
+ }
+ else
+ io_->read(buf.pData_, dataLength);
}
else if(meta == 2) {
io_->read(buf.pData_, 2);
nameLength = Exiv2::getUShort(buf.pData_, littleEndian);
+
+ if (nameLength > 5000) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video.Metadata nameLength was found to be larger than 5000 "
+ << " entries considered invalid; not read.
";
+#endif
+ io_->seek(io_->tell() + nameLength, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, nameLength);
+
v->read(toString16(buf));
io_->read(buf.pData_, 2);
@@ -635,6 +663,16 @@ namespace Exiv2 {
io_->read(buf.pData_, 2);
dataLength = Exiv2::getUShort(buf.pData_, littleEndian);
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 5000) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video.Metadata dataLength was found to be larger than 5000 "
+ << " entries considered invalid; not read.
";
+#endif
+ io_->seek(io_->tell() + dataLength, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength);
}
diff --git a/src/quicktimevideo.cpp b/src/quicktimevideo.cpp
index 07625b8..05f173b 100644
--- a/src/quicktimevideo.cpp
+++ b/src/quicktimevideo.cpp
@@ -946,7 +946,7 @@ namespace Exiv2 {
void QuickTimeVideo::NikonTagsDecoder(unsigned long size_external)
{
uint64_t cur_pos = io_->tell();
- DataBuf buf(100), buf2(4+1);
+ DataBuf buf(200), buf2(4+1);
unsigned long TagID = 0;
unsigned short dataLength = 0, dataType = 2;
const TagDetails* td, *td2;
@@ -1056,7 +1056,18 @@ namespace Exiv2 {
else if(dataType == 2 || dataType == 7) {
dataLength = Exiv2::getUShort(buf.pData_, bigEndian);
std::memset(buf.pData_, 0x0, buf.size_);
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 200) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
+ << " Entries considered invalid. Not Processed.
";
+#endif
+ io_->seek(io_->tell() + dataLength, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength);
+
if(td)
xmpData_[exvGettext(td->label_)] = Exiv2::toString(buf.pData_);
}
@@ -1066,6 +1077,16 @@ namespace Exiv2 {
io_->read(buf.pData_, 4);
if(td)
xmpData_[exvGettext(td->label_)] = Exiv2::toString(Exiv2::getULong( buf.pData_, bigEndian));
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 200) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
+ << " Entries considered invalid. Not Processed.
";
+#endif
+ io_->seek(io_->tell() + dataLength - 4, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength - 4);
}
else if(dataType == 3) {
@@ -1074,6 +1095,16 @@ namespace Exiv2 {
io_->read(buf.pData_, 2);
if(td)
xmpData_[exvGettext(td->label_)] = Exiv2::toString(Exiv2::getUShort( buf.pData_, bigEndian));
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 200) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
+ << " Entries considered invalid. Not Processed.
";
+#endif
+ io_->seek(io_->tell() + dataLength - 2, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength - 2);
}
else if(dataType == 5) {
@@ -1083,6 +1114,16 @@ namespace Exiv2 {
io_->read(buf2.pData_, 4);
if(td)
xmpData_[exvGettext(td->label_)] = Exiv2::toString((double)Exiv2::getULong( buf.pData_, bigEndian) / (double)Exiv2::getULong( buf2.pData_, bigEndian));
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 200) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
+ << " Entries considered invalid. Not Processed.
";
+#endif
+ io_->seek(io_->tell() + dataLength - 8, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength - 8);
}
else if(dataType == 8) {
@@ -1092,6 +1133,16 @@ namespace Exiv2 {
io_->read(buf2.pData_, 2);
if(td)
xmpData_[exvGettext(td->label_)] = Exiv2::toString(Exiv2::getUShort( buf.pData_, bigEndian) ) + " " + Exiv2::toString(Exiv2::getUShort( buf2.pData_, bigEndian));
+
+ // Sanity check with an "unreasonably" large number
+ if (dataLength > 200) {
+#ifndef SUPPRESS_WARNINGS
+ EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
+ << " Entries considered invalid. Not Processed.
";
+#endif
+ io_->seek(io_->tell() + dataLength - 4, BasicIo::beg);
+ }
+ else
io_->read(buf.pData_, dataLength - 4);
}
}
--
exiv2 packaging
More information about the pkg-kde-commits
mailing list