Merge pull request #1797 from Exiv2/mergify/bp/main/pr-1788

Make sure that read is complete to prevent infinite loop (backport #1788)
Exiv2 · Jul 25, 2021 · 81bf649 · 81bf649
2 parents 7251a96 + 9004fb5
commit 81bf649
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/src/jpgimage.cpp b/src/jpgimage.cpp
@@ -637,10 +637,8 @@ namespace Exiv2 {
                 // Read size and signature
                 std::memset(buf.pData_, 0x0, buf.size_);
                 bufRead = io_->read(buf.pData_, bufMinSize);
-                if (io_->error())
+                if (io_->error() || bufRead != bufMinSize)
                     throw Error(kerFailedToReadImageData);
-                if (bufRead < 2)
-                    throw Error(kerNotAJpeg);
                 const uint16_t size = mHasLength[marker] ? getUShort(buf.pData_, bigEndian) : 0;
                 if (bPrint && mHasLength[marker])
                     out << Internal::stringFormat(" | %7d ", size);

diff --git a/test/data/issue_ghsa_9jh3_fcc3_g6hv_poc.jpg b/test/data/issue_ghsa_9jh3_fcc3_g6hv_poc.jpg
diff --git a/tests/bugfixes/github/test_issue_ghsa_9jh3_fcc3_g6hv.py b/tests/bugfixes/github/test_issue_ghsa_9jh3_fcc3_g6hv.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_ghsa_9jh3_fcc3_g6hv_poc.jpg")
+
+class JpegBasePrintStructureInfiniteLoop(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv
+    """
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9jh3-fcc3-g6hv"
+
+    filename = path("$tmp_path/issue_ghsa_9jh3_fcc3_g6hv_poc.jpg")
+    commands = ["$exiv2 -d I rm $filename"]
+    stdout = [""]
+    stderr = [
+"""Warning: JPEG format error, rc = 2
+Exiv2 exception in erase action for file $filename:
+$kerFailedToReadImageData
+"""]
+    retval = [1]