Main jp2 image bounts

src/jp2image.cpp

@@ -646,11 +646,11 @@ static void boxes_check(size_t b,size_t m)
     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
     {
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        long    outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+        long    inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
-        int32_t       count  = sizeof (Jp2BoxHeader);
+        uint32_t      length = getLong((byte*)&pBox->length, bigEndian);
+        uint32_t      count  = sizeof (Jp2BoxHeader);
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;
 
@@ -667,6 +667,7 @@ static void boxes_check(size_t b,size_t m)
 #ifdef EXIV2_DEBUG_MESSAGES
                 std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
 #endif
+                enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
                 count        += subBox.length;
                 newBox.type   = subBox.type;
             } else {
@@ -675,13 +676,14 @@ static void boxes_check(size_t b,size_t m)
                 count = length;
             }
 
-            int32_t newlen = subBox.length;
+            uint32_t newlen = subBox.length;
             if ( newBox.type == kJp2BoxTypeColorHeader ) {
                 bWroteColor = true ;
                 if ( ! iccProfileDefined() ) {
                     const char* pad   = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
                     uint32_t    psize = 15;
                     newlen            = sizeof(newBox) + psize ;
+                    enforce(newlen <= static_cast<size_t>(output.size_ - outlen), Exiv2::kerCorruptedMetadata);
                     ul2Data((byte*)&newBox.length,psize      ,bigEndian);
                     ul2Data((byte*)&newBox.type  ,newBox.type,bigEndian);
                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox));
@@ -690,13 +692,15 @@ static void boxes_check(size_t b,size_t m)
                     const char* pad   = "\x02\x00\x00";
                     uint32_t    psize = 3;
                     newlen            = sizeof(newBox) + psize + iccProfile_.size_;
+                    enforce(newlen <= static_cast<size_t>(output.size_ - outlen), Exiv2::kerCorruptedMetadata);
                     ul2Data((byte*)&newBox.length,newlen,bigEndian);
                     ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox)  );
                     ::memcpy(output.pData_+outlen+sizeof(newBox)      , pad               ,psize           );
                     ::memcpy(output.pData_+outlen+sizeof(newBox)+psize,iccProfile_.pData_,iccProfile_.size_);
                 }
             } else {
+                enforce(newlen <= static_cast<size_t>(output.size_ - outlen), Exiv2::kerCorruptedMetadata);
                 ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
             }
 

tests/bugfixes/github/test_issue_ghsa_jgm9_5fw5_pw9p.py

@@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, path
+
+
+class WebPImageDoWriteMetadataOutOfBoundsRead(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
+    """
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p"
+
+    filename1 = path("$data_path/issue_ghsa_jgm9_5fw5_pw9p_poc.jp2")
+    filename2 = path("$data_path/issue_ghsa_jgm9_5fw5_pw9p_poc.exv")
+    commands = ["$exiv2 in $filename1"]
+    stdout = [""]
+    stderr = [
+"""Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x010f has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x010f has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x0000 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x8769 has unknown Exif (TIFF) type 0; setting type size 1.
+Warning: Directory Image, entry 0x8769 doesn't look like a sub-IFD.
+Warning: Directory Image, entry 0x8825 doesn't look like a sub-IFD.
+$filename1: Could not write metadata to file: $kerCorruptedMetadata
+"""]
+    retval = [1]