-
Notifications
You must be signed in to change notification settings - Fork 20
exiv2
Link : https://github.com/Exiv2/exiv2/commit/81bf649540ff22a312d41757772dc0864d69773e
Description: Loop with Unreachable Exit Condition('Infinite Loop')
CVE Info: CVE-2021-37622
At src/jpgimage.cpp
@@ -637,8 +637,9 @@ namespace Exiv2 {
// Read size and signature
std::memset(buf.pData_, 0x0, buf.size_);
bufRead = io_->read(buf.pData_, bufMinSize);
+ if (io_->error() || bufRead != bufMinSize)
- if (io_->error())
throw Error(kerFailedToReadImageData);
- if (bufRead != bufMinSize) exit(1);
const uint16_t size = mHasLength[marker] ? getUShort(buf.pData_, bigEndian) : 0;
if (bPrint && mHasLength[marker])
out << Internal::stringFormat(" | %7d ", size);
Tags
#Invalid-condition
#Infinite-loop-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/17f0d759662aa88343b6084e8c97d67ef363a030
Description: Reachable Assertion
CVE Info: CVE-2021-32815
At src/crwimage_int.cpp
@@ -1254,12 +1254,10 @@ namespace Exiv2 {
for (ExifData::const_iterator i = b; i != e; ++i) {
if (i->ifdId() != ifdId) continue;
const uint16_t s = i->tag()*2 + static_cast<uint16_t>(i->size());
+ if (s <= size) {
+ if (len < s) len = s;
+ i->copy(buf.pData_ + i->tag()*2, byteOrder);
+ } else {
+ EXV_ERROR << "packIfdId out-of-bounds error: s = " << std::dec << s << "\n";
+ }
- assert(s <= size);
- if (len < s) len = s;
- i->copy(buf.pData_ + i->tag()*2, byteOrder);
-
}
// Round the size to make it even.
buf.size_ = len + len%2;
Tags
#Logical-error
#Memory-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/86d0a1d5d9f6dc41013a6690408add974e59167c
Description: Out-of-bounds Read
CVE Info: CVE-2021-37619
At src/jp2image.cpp
@@ -656,14 +656,12 @@ static void boxes_check(size_t b,size_t m)
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
+ while ( count < length && !bWroteColor ) {
- while ( count < length || !bWroteColor ) {
enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
- Jp2BoxHeader subBox = *pSubBox ;
Jp2BoxHeader newBox = subBox;
if ( count < length ) {
Tags
#Invalid-condition
#Memory-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/476be794d0cdc2f63083221469019141d0a81389
Description: Out-of-bounds Read
CVE Info: CVE-2020-18771
At src/nikonmn_int.cpp
@@ -370,12 +370,8 @@ namespace Exiv2 {
const ExifData*)
{
if (value.count() >= 1) {
+ const unsigned long focusArea = value.toLong(0);
+ if (focusArea >= EXV_COUNTOF(nikonFocusarea)) {
+ os << "Invalid value";
+ } else {
+ os << nikonFocusarea[focusArea];
+ }
- unsigned long focusArea = value.toLong(0);
- os << nikonFocusarea[focusArea];
}
if (value.count() >= 2) {
os << "; ";
Tags
#Omission
#Memory-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/e0c7d64d93bc36205e5f2b1502b59f7b23f90150
Description: Out-of-bounds Read
CVE Info: CVE-2021-29473
At src/jp2image.cpp
@@ -908,7 +908,6 @@ static void boxes_check(size_t b,size_t m)
case kJp2BoxTypeUuid:
{
+ enforce(boxBuf.size_ >= 24, Exiv2::kerCorruptedMetadata);
if(memcmp(boxBuf.pData_ + 8, kJp2UuidExif, 16) == 0)
{
#ifdef EXIV2_DEBUG_MESSAGES
Tags
#Omission
#Memory-error
#Single-line
#Added
#CVE
Link : https://github.com/Exiv2/exiv2/commit/6fa2e31206127bd8bcac0269311f3775a8d6ea21
Description: Integer Overflow or Wraparound
CVE Info: CVE-2019-13109
At src/pngimage.cpp
@@ -33,7 +33,6 @@
#include "image_int.hpp"
#include "basicio.hpp"
#include "error.hpp"
+#include "enforce.hpp"
#include "futils.hpp"
#include "types.hpp"
@@ -469,7 +468,6 @@ namespace Exiv2 {
}
profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
++iccOffset; // +1 = 'compressed' flag
+ enforce(iccOffset <= chunkLength, Exiv2::kerCorruptedMetadata);
zlibToDataBuf(chunkData.pData_ + iccOffset, chunkLength - iccOffset, iccProfile_);
#ifdef DEBUG
Tags
#Etc
#Multi-line
#Added
#CVE
Link : https://github.com/Exiv2/exiv2/commit/9e6a5200893226056c1bb424bb4e3e1caf625991
Description: Integer Overflow or Wraparound
CVE Info: CVE-2021-29458
At src/crwimage_int.cpp
@@ -579,7 +579,7 @@ namespace Exiv2 {
void CiffComponent::setValue(DataBuf buf)
{
if (isAllocated_) {
+ delete[] pData_;
- delete pData_;
pData_ = 0;
size_ = 0;
}
@@ -1187,11 +1187,7 @@ namespace Exiv2 {
pCrwMapping->crwDir_);
if (edX != edEnd || edY != edEnd || edO != edEnd) {
uint32_t size = 28;
+ if (cc) {
+ if (cc->size() < size)
+ throw Error(kerCorruptedMetadata);
+ size = cc->size();
+ }
- if (cc && cc->size() > size) size = cc->size();
DataBuf buf(size);
std::memset(buf.pData_, 0x0, buf.size_);
if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
Tags
#Omission
#Logical-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/5d1d6981229b5e44401bf5c503100553fc7d877a
Description: Integer Overflow or Wraparound
CVE Info: CVE-2019-13108
At src/pngimage.cpp
@@ -469,9 +469,11 @@ namespace Exiv2
} else if (chunkType == "iCCP") {
// The ICC profile name can vary from 1-79 characters.
uint32_t iccOffset = 0;
+ do {
+ enforce(iccOffset < 80 && iccOffset < chunkLength, Exiv2::kerCorruptedMetadata);
+ } while(chunkData.pData_[iccOffset++] != 0x00);
- while (iccOffset < 80 && iccOffset < chunkLength) {
- if (chunkData.pData_[iccOffset++] == 0x00) {
- break;
- }
- }
profileName_ = std::string(reinterpret_cast<char *>(chunkData.pData_), iccOffset-1);
++iccOffset; // +1 = 'compressed' flag
Tags
#Omission
#Logical-error
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/c0ecc2ae36f34462be98623deb85ba1747ae2175
Description: Integer Overflow or Wraparound
CVE Info: CVE-2019-13110
At src/crwimage_int.cpp
@@ -281,7 +281,7 @@ namespace Exiv2 {
if (size < 4)
throw Error(kerCorruptedMetadata);
uint32_t o = getULong(pData + size - 4, byteOrder);
+ if ( o > size-2 )
- if ( o+2 > size )
throw Error(kerCorruptedMetadata);
uint16_t count = getUShort(pData + o, byteOrder);
#ifdef DEBUG
@@ -289,7 +289,7 @@ namespace Exiv2 {
<<", " << count << " entries \n";
#endif
o += 2;
+ if ( static_cast<uint32_t>(count) * 10 > size-o )
- if ( (o + (count * 10)) > size )
throw Error(kerCorruptedMetadata);
for (uint16_t i = 0; i < count; ++i) {
Tags
#Invalid-format-string
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/b7c71f3ad0386cd7af3b73443c0615ada073f0d5
Description: Loop with Unreachable Exit Condition ('Infinite Loop')
CVE Info: CVE-2018-19108
At src/psdimage.cpp
@@ -199,7 +199,6 @@ namespace Exiv2 {
throw Error(kerNotAnImage, "Photoshop");
}
uint32_t resourcesLength = getULong(buf, bigEndian);
+ enforce(resourcesLength < io_->size(), Exiv2::kerCorruptedMetadata);
while (resourcesLength > 0)
{
Tags
#Infinite-loop-error
#Etc
#Single-line
#Added
#CVE
Link : https://github.com/Exiv2/exiv2/commit/9092b422e699f520e8c317c6529907dd7646964b
Description: Out-of-bounds Read
At src/iptc.cpp
@@ -439,7 +439,6 @@ namespace Exiv2 {
std::cerr << "IptcParser::decode, size = " << size << "\n";
#endif
const byte* pRead = pData;
+ const byte* const pEnd = pData + size;
iptcData.clear();
uint16_t record = 0;
@@ -447,7 +446,7 @@ namespace Exiv2 {
uint32_t sizeData = 0;
byte extTest = 0;
+ while (6 <= static_cast<size_t>(pEnd - pRead)) {
- while (pRead + 3 < pData + size) {
// First byte should be a marker. If it isn't, scan forward and skip
// the chunk bytes present in some images. This deviates from the
// standard, which advises to treat such cases as errors.
@@ -461,7 +460,6 @@ namespace Exiv2 {
uint16_t sizeOfSize = (getUShort(pRead, bigEndian) & 0x7FFF);
if (sizeOfSize > 4) return 5;
pRead += 2;
+ if (sizeOfSize > static_cast<size_t>(pEnd - pRead)) return 6;
sizeData = 0;
for (; sizeOfSize > 0; --sizeOfSize) {
sizeData |= *pRead++ << (8 *(sizeOfSize-1));
@@ -472,7 +470,7 @@ namespace Exiv2 {
sizeData = getUShort(pRead, bigEndian);
pRead += 2;
}
+ if (sizeData <= static_cast<size_t>(pEnd - pRead)) {
- if (pRead + sizeData <= pData + size) {
int rc = 0;
if ((rc = readData(iptcData, dataSet, record, pRead, sizeData)) != 0) {
#ifndef SUPPRESS_WARNINGS
@@ -486,7 +484,6 @@ namespace Exiv2 {
else {
EXV_WARNING << "IPTC dataset " << IptcKey(dataSet, record)
<< " has invalid size " << sizeData << "; skipped.\n";
+ return 7;
}
#endif
pRead += sizeData;
Tags
#Omission
#Invalid-condition
#Multi-line
#Modified
Link : https://github.com/Exiv2/exiv2/commit/b35c43e7c2409978a0c45f35c2ec8c7f625469df
Description: Out-of-bounds Read
At src/pngchunk_int.cpp
@@ -653,17 +653,9 @@ namespace Exiv2 {
}
}
+ // Parse the length.
+ long length = 0;
- const char* startOfLength = sp;
while ('0' <= *sp && *sp <= '9')
{
+ // Compute the new length using unsigned long, so that we can
+ // check for overflow.
+ const unsigned long newlength = (10 * static_cast<unsigned long>(length)) + (*sp - '0');
+ if (newlength > static_cast<unsigned long>(std::numeric_limits<long>::max())) {
+ return DataBuf(); // Integer overflow.
+ }
+ length = static_cast<long>(newlength);
sp++;
if (sp == eot )
{
@@ -675,7 +667,8 @@ namespace Exiv2 {
return DataBuf();
}
+ enforce(length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata);
- long length = (long) atol(startOfLength);
- enforce(0 <= length && length <= (eot - sp)/2, Exiv2::kerCorruptedMetadata);
// Allocate space
if (length == 0)
Tags
#Omission
#Memory-error
#Multi-line
#Modified
Link : https://github.com/Exiv2/exiv2/commit/e93c3728252cd4b673ad5462c6d750380d35b299
Description: Allocation of Resources Without Limits or Throttling
CVE Info: CVE-2020-18899
At src/jp2image.cpp
@@ -501,7 +501,7 @@ namespace Exiv2
subBox.length = getLong((byte*)&subBox.length, bigEndian);
subBox.type = getLong((byte*)&subBox.type, bigEndian);
+ if (subBox.length < sizeof(box) || subBox.length > io_->size() - io_->tell()) {
- if (subBox.length > io_->size() - io_->tell()) {
throw Error(kerCorruptedMetadata);
}
Tags
#Invalid-condition
#Single-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/312a2d2788bfd21b5078319a1ad36086f697da36
Description: Loop with Unreachable Exit Condition ('Infinite Loop')
CVE Info: CVE-2018-20099
At src/tiffimage_int.cpp
@@ -1695,8 +1695,10 @@ namespace Exiv2 {
TiffFinder finder(0x00fe, imageGroups[i]);
pSourceDir->accept(finder);
TiffEntryBase* te = dynamic_cast<TiffEntryBase*>(finder.result());
+ const Value* pV = te != NULL ? te->pValue() : NULL;
+ if (pV && pV->typeId() == unsignedLong && pV->count() == 1 && (pV->toLong() & 1) == 0) {
- if ( te
- && te->pValue()->typeId() == unsignedLong
- && te->pValue()->count() == 1
- && (te->pValue()->toLong() & 1) == 0) {
primaryGroups.push_back(te->group());
}
}
Tags
#Infinite-loop-error
#Invalid-condition
#Multi-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/6e42c1b55e0fc4f360cc56010b0ffe19aa6062d9
Description: NULL Pointer Dereference
CVE Info: CVE-2018-19607
At src/easyaccess.cpp
@@ -175,7 +175,7 @@ namespace Exiv2 {
md = md_st;
break;
}
+ while (strcmp(sensKeys->keys[idx++], md_st->key().c_str()) != 0 && idx < sensKeys->count) {}
- while (strcmp(sensKeys->keys[idx++], md_st->key().c_str()) != 0 && idx < cnt) {}
}
break;
}
Tags
#Invalid-condition
#Single-line
#Modified
#CVE
Link : https://github.com/Exiv2/exiv2/commit/1d64f482ffd0e5836f4aec19f35028efb729cf12
Description: assertion '__n < this->size()' failed
At src/exif.cpp
@@ -229,22 +229,7 @@ namespace Exiv2 {
fct = nullptr;
}
}
+ if ( fct ) {
+ // https://github.com/Exiv2/exiv2/issues/1706
+ // Sometimes the type of the value doesn't match what the
+ // print function expects. (The expected types are stored
+ // in the TagInfo tables, but they are not enforced when the
+ // metadata is parsed.) These type mismatches can sometimes
+ // cause a std::out_of_range exception to be thrown.
+ try {
+ fct(os, value(), pMetadata);
+ } catch (std::out_of_range&) {
+ os << "Bad value";
+#ifdef EXIV2_DEBUG_MESSAGES
+ std::cerr << "Caught std::out_of_range exception in Exifdatum::write().\n";
+#endif
+ }
+ }
- if ( fct ) fct(os, value(), pMetadata);
return os;
}
Tags
#Logical-error
#Multi-line
#Modified
Link : https://github.com/Exiv2/exiv2/commit/a4c5bdac19e64686e94c770a0c84e6c61723eb3c
Description: stricter date parsing
At src/value.cpp
@@ -913,10 +913,7 @@ namespace Exiv2 {
std::memcpy(b, reinterpret_cast<const char*>(buf), 8);
int scanned = sscanf(b, "%4d%2d%2d",
&date_.year, &date_.month, &date_.day);
+ if ( scanned != 3
+ || date_.year < 0
+ || date_.month < 1 || date_.month > 12
+ || date_.day < 1 || date_.day > 31) {
- if (scanned != 3){
#ifndef SUPPRESS_WARNINGS
EXV_WARNING << Error(kerUnsupportedDateFormat) << "\n";
#endif
@@ -934,12 +931,9 @@ namespace Exiv2 {
#endif
return 1;
}
+ int scanned = sscanf(buf.c_str(), "%4d-%2d-%2d",
- int scanned = sscanf(buf.c_str(), "%4d-%d-%d",
&date_.year, &date_.month, &date_.day);
+ if ( scanned != 3
+ || date_.year < 0
+ || date_.month < 1 || date_.month > 12
+ || date_.day < 1 || date_.day > 31) {
- if (scanned != 3){
#ifndef SUPPRESS_WARNINGS
EXV_WARNING << Error(kerUnsupportedDateFormat) << "\n";
#endif
@@ -960,7 +954,7 @@ namespace Exiv2 {
// sprintf wants to add the null terminator, so use oversized buffer
char temp[9];
+ int wrote = snprintf(temp, sizeof(temp), "%04d%02d%02d", date_.year, date_.month, date_.day);
- int wrote = sprintf(temp, "%04d%02d%02d", date_.year, date_.month, date_.day);
assert(wrote == 8);
std::memcpy(buf, temp, wrote);
return wrote;
Tags
#Logical-error
#Multi-line
#Modified
Link : https://github.com/Exiv2/exiv2/commit/cb32b809c80163c2392543dfb830dffe44e47f91
Description: Replace assertion with error message in TiffDirectory
At src/tiffcomposite_int.cpp
@@ -1236,12 +1236,7 @@ namespace Exiv2 {
valueIdx,
dataIdx,
imageIdx);
+#ifndef SUPPRESS_WARNINGS
+ if (len > 4) {
+ EXV_ERROR << "Unexpected length in TiffDirectory::writeDirEntry(): len == "
+ << len << ".\n";
+ }
+#endif
- assert(len <= 4);
if (len < 4) {
memset(buf, 0x0, 4);
ioWrapper.write(buf, 4 - len);
Tags
#Etc
#Multi-line
#Modified
Link : https://github.com/Exiv2/exiv2/commit/cb16324bcf7254faddeabb922f4b887eac8a83ab
Description: Large allocation
At src/tiffvisitor_int.cpp
@@ -1599,7 +1599,6 @@ namespace Exiv2 {
v->read(pData, size, byteOrder());
} else {
// Prevent large memory allocations: https://github.com/Exiv2/exiv2/issues/1881
+ enforce(isize <= 1024 * 1024, kerCorruptedMetadata);
// #1143 Write a "hollow" buffer for the preview image
// Sadly: we don't know the exact location of the image in the source (it's near offset)
Tags
#Etc
#Single-line
#Added
Link : https://github.com/Exiv2/exiv2/commit/b52b6db39f048187ec5afcce61847eb5d050c332
Description: -PV option doesn't print the key
At src/exiv2.cpp
@@ -720,7 +720,7 @@ int Params::evalPrintFlags(const std::string& optArg)
printItems_ |= prHex;
break;
case 'V':
+ printItems_ |= prSet | prKey | prType | prValue;
- printItems_ |= prSet | prValue;
break;
default:
std::cerr << progname() << ": " << _("Unrecognized print item") << " `" << i << "'\n";