Bug #534

Integer overflow when reading thumbnail

Added by Andreas Huggel over 9 years ago. Updated over 8 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Andreas Huggel% Done:

0%

Category:exif
Target version:0.16

Description

Mail from "Meder Kydyraliev" <>, 14-Dec-07:
---

Test: [fuzz-118.jpg] IFD1's (thumbnail IFD) JpegIFOffset(0x0201) and
JpegIFByteCount(0x0202) are set to values that overflow if added

exiv2-0.16-pre1:

- Test leads to an integer overflow in JpegThumbnail::setDataArea():

exif.cpp:
...
308 if (len < offset + size) return 2;
309 format->setDataArea(buf + offset, size);
...
value.hpp:
1600     template&lt;typename T&gt;
1601 inline int ValueType&lt;T&gt;::setDataArea(const byte* buf, long len)
1602 {
1603 byte* tmp = 0;
1604 if (len > 0) {
1605 tmp = new byte[len];
1606 std::memcpy(tmp, buf, len);
1607 }
It seems like TiffThumbnail::setDataArea() might also have this problem.

Please credit "Meder Kydyraliev, Google Security Team" in any advisories
relating to these issues.

fuzz-118.jpg (43.5 KB) Redmine Admin, 14 Dec 2007 09:01

History

#1 Updated by Andreas Huggel over 9 years ago

r1345

(r1344 is not related to this issue, the svn comment is wrong.)

Also available in: Atom PDF

Redmine Appliance - Powered by TurnKey Linux