[WIP] Backporting security fixes to 0.26 #120
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
(cherry picked from commit d4e7510)
(cherry picked from commit 9aad5cd)
=> Should fix Exiv2#76 (most of the work has been done by Robin Mills in 6e3855a) The problem with Exiv2#76 is the contents of the 26th IFD, with the following contents: tag: 0x8649 type: 0x1 count: 0xffff ffff offset: 0x4974 The issue is the size of count (uint32_t), as adding anything to it causes an overflow. Especially the expression: (size*count + pad+20) results in an overflow and gives 20 as a result instead of 0x100000014, thus the condition in the if in the next line is false and the program continues to run (until it crashes at io.read). To properly account for the overflow, the brackets have to be removed, as then the result is saved in the correctly sized type and not cast after being calculated in the smaller type.
Source: Exiv2#57 (comment) tc can be a null pointer when the TIFF tag is unknown (the factory then returns an auto_ptr(0)) => as this can happen for corrupted files, an explicit check should be used because an assertion can be turned of in release mode (with NDEBUG defined) This also fixes Exiv2#57
A heap buffer overflow could occur in memcpy when icc.size_ is larger than data.size_ - pad, as then memcpy would read out of bounds of data. This commit adds a sanity check to iccLength (= icc.size_): if it is larger than data.size_ - pad (i.e. an overflow would be caused) an exception is thrown. This fixes Exiv2#71.
The invalid memory dereference in Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() is caused further up the call-stack, by v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() passing an invalid pData pointer (pData points outside of the Tiff file). pData can be set out of bounds in the (size > 4) branch where baseOffset() and offset are added to pData_ without checking whether the result is still in the file. As offset comes from an untrusted source, an attacker can craft an arbitrarily large offset into the file. This commit adds a check into the problematic branch, whether the result of the addition would be out of bounds of the Tiff file. Furthermore the whole operation is checked for possible overflows.
v can be null if the typeId is invalid => throw an exception notifying the user that his file is corrupted instead of the assertion
|
Crap! I see one of the checks has failed. You're not quite there yet - however you will be soon. |
|
It seems that it was a failure in travis-ci (yes ... sometimes it fails). I just re-triggered the jobs to see if they pass now. |
|
Oh damn it! It seems that one of the PPAs that we are using to provision software in the Travis-CI virtual machines is discontinued. I will try to fix the situation in other Pull Request ASAP |
|
Oh ... I was not looking at this correctly. Of course, in 0.26 we did not have all the travis-ci stuff. Actually travis should not run any check on this PR since there is not I will merge this since we already checked those fixes in master. |
|
Thanks for taking care of this! 🥇 |
This was referenced Oct 17, 2017
Merged
27 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have backported the security fixes of the recent weeks to the newly created 0.26 branch.
Unfortunately, the
bugfixes-test.outfile was impossible to merge, I'll try to recreate it manually (the main issue here is, that some debug output was removed/changed since 0.26). However, none of the reproducers should result in crashes any more.For completeness sake, the following issues were fixed: