[main] Fix integer overflow #2179 #2181
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #2181 +/- ##
==========================================
+ Coverage 63.29% 63.34% +0.04%
==========================================
Files 99 99
Lines 19591 19595 +4
Branches 9556 9560 +4
==========================================
+ Hits 12400 12412 +12
+ Misses 5117 5112 -5
+ Partials 2074 2071 -3
Continue to review full report at Codecov.
|
piponazo
force-pushed
the
main_issue2179
branch
4 times, most recently
from
a8d113a
to
2a2f164
Compare
piponazo
commented
Apr 6, 2022
| size_t pos = sizeFront; | ||
| while (0 == Photoshop::locateIptcIrb(pPsData + pos, sizePsData - pos, &record, &sizeHdr, &sizeIptc)) { | ||
| long nextSizeData = Safe::add<long>(static_cast<long>(sizePsData), -static_cast<long>(pos)); | ||
| enforce(nextSizeData >= 0, ErrorCode::kerCorruptedMetadata); |
There was a problem hiding this comment.
The fix is in lines 188-189 & 196-197. I ended up using Safe::add<long> to make sure that there is not integer overflow and I also used later enforce to make sure that the substraction is positive.
piponazo
commented
Apr 6, 2022
|
|
||
| TEST(Photoshop_setIptcIrb, detectIntegerOverflow_withDataFromPOC2179) { | ||
| const std::array<byte, 141> data{ | ||
| 0x38, 0x42, 0x49, 0x4d, 0x20, 0x20, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x38, 0x42, 0x49, 0x4d, 0x04, 0x04, |
There was a problem hiding this comment.
This is the test which is replicating the case detected by oss-fuzz. Note that the assertion is checking that an exception is thrown.
This was referenced Apr 6, 2022
It has been detected that we need to always pass the size==4 in the call to isIrb. Probably it is better to remove that parameter and document that it is assumed for the buffer to have a length of 4 bytes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #2179
I considered adding a python test to process the POC file, but I realised that the
exiv2application is not exercising the part of the code that has been modified. In #2179 @kevinbackhouse mentioned that in order to reproduce the issue, one needs to use thefuzz-read-print-writeapplication. However that application only gets compiled in the FUZZ jobs.Any ideas of how we could try to exercise that part of the code with a python test?
Other possibility would be to try to add a unit test which directly calls
Photoshop::setIptcIrb. It might be a good opportunity for me to get more familiar with that part of the code base.