Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for #378 #379

Merged
merged 2 commits into from
Jul 16, 2018
Merged

Fix for #378 #379

merged 2 commits into from
Jul 16, 2018

Conversation

D4N
Copy link
Member

@D4N D4N commented Jul 9, 2018

The size parameter is only checked for upper bounds, but not for the lower bounds.
If it is too small, then created dataBuf will be too small and overflow in one of the subsequent memcpy() calls. Enforcing the size should fix this.

@D4N D4N requested review from piponazo and clanmills July 9, 2018 03:43
piponazo
piponazo approved these changes Jul 9, 2018
View reviewed changes
src/webpimage.cpp
@@ -517,6 +517,8 @@ namespace Exiv2 {
DataBuf payload(size);

if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_canvas_data) {
enforce(size >= 10, Exiv2::kerCorruptedMetadata);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[question] From where all these hard-coded values (10, 5, 12) come? Could we infer those values from some existing enum types, structures, etc? Otherwise, some comments might be needed to understand the meaning of those values.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a look at the following code and checked how large size must be at lest so that the memcpy calls don't read out of bounds. Unfortunately the values are simply inserted there as numbers. I can take a look whether we can give them meaningful names.

D4N added 2 commits July 16, 2018 23:40
@D4N
[testsuite] Add reproducer for Exiv2#378/CVE-2018-14046 to the testsuite
f522cbf
@D4N
[webp] Enforce minimum read size in decodeChunks
81b6d36 
The size parameter is only checked for upper bounds, but not for lower.
If it is too small, then created dataBuf will be too small and overflow in one
of the subsequent memcpy() calls.

This fixes Exiv2#378 / CVE-2018-14046
@D4N D4N merged commit 505e241 into Exiv2:master Jul 16, 2018
@D4N D4N deleted the fix_378 branch July 16, 2018 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piponazo piponazo piponazo approved these changes

@clanmills clanmills Awaiting requested review from clanmills

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@D4N @piponazo