-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insufficient verification(cycle) in function Image::printIFDStructure in image.cpp:335 #547
Comments
The option -pR is for debugging. In Exiv2 v0.27, option -pR will throw an exception on NDEBUG builds. We will also modify the code to trap this "fuzzed" file so that it doesn't loop on Debug builds. |
@cool-tomato We will fix this in Exiv2 v0.27 RC3 which is scheduled to be released on Friday 7 December 2018. We're busy today releasing Exiv2 v0.27 RC2 and don't want to loose focus. |
Oh, I got it, thank you. |
An update about this. When removing the option -pR from the release builds few tests fail on CI:
@D4N Do you remember if you put something in place in the python framework to skip tests in a particular compilation mode ? Right now we are just compiling and running the tests in CI in Release mode. A temporary solution would be to skip these tests for the moment, and enable them back after the 0.27 Release with new job configurations in Travis and Appveyor to compile the project and run the tests in Debug mode. I would not try to setup the CI scripts now to build and run stuff in Debug mode, since it will probably take lot of work. |
I'll add an option to the Jenkins script to build/test in debug. You're right that we should test this before v0.27. I don't think we should delay GM. I'll review your code this afternoon. |
There is no such explicit option. If the build type is accessible via an environment variable, then you can just do a: @unittest.skipif(os.getenv('BUILDTYPE') == 'Release')
class Test:
pass I was considering to add something more convenient to the test suite, but didn't have a good idea how to integrate that yet. @clanmills What about the |
There are several of those printXXXX villains that should throw in NDEBUG builds. I think printIFDStructure() is only called when we use option kpsRecursive, but I can't remember! (it's my age, you know). We can detect a debug build with the command |
Somehow the fix to exiv2 -pR to block release builds isn't in v0.27 RC3. I'll investigate. |
I'm mistaken. The fix for -pR is in RC3 (and RC4). The issue with the test file |
Should this issue then be closed? I see that you closed it and reopened it consecutively. I double checked this, and it is fine on master (the |
I changed my mind about closing it. I'd like to you inspect the code when I get 0.27-RC4 finished. |
@piponazo I've rewritten the dict_t dicts_t stuff (and removed the static which is clearly wrong). In the image object I've added Reservations which is a vector. A Reservation is a pair<at,length>. When we parse tiff data in printIFD, with every read, I update the Reservations. For example, as we move along the chain of tiff directories, I update the reservations. If the tiff has been fuzzed to create a circular reference, it'll already be in Reservations and we throw an exception. That fixes poc.dms (and several other pocs). Disabling option -pR in exiv2/Release is OK, however this change hardens the library code. |
@clanmills What's the plan about this? Do you think it is still needed to address the issue in the library code? or now that the option |
Fix submitted: #1210 |
I found a bug in function printIFDStructure () in image.cpp:335. In the big do...while loop, there may be more than one IFD structures, namely multiple images. But there is a situation, if the offsets of the second IFD is same as the before, the program would go to infinite loop.
This can be reproduced with cmd:
./exiv2 -pR poc
The poc can be found at here.
The text was updated successfully, but these errors were encountered: