CRW: crashes when passed invalid data
|Status:||Closed||Start date:||11 Mar 2013|
|Assignee:||Robin Mills||% Done:|
|Category:||image format||Estimated time:||1.00 hour|
crwimage.cpp is missing some sanity checks, leading to crashes when trying to load malformed CRW files.
The offset sanity check in readDirectory on line 460 can be overflowed, leading to a crash on the next line on 64-bit machines.
The size and offset read in doRead on lines 423 and 424 aren't sanity-checked, leading to a crash in later code when passed invalid size/offset values.
Two testcases attached.
#5 Updated by Robin Mills about 2 years ago
- Category changed from exif to image format
- Status changed from Assigned to Closed
- Assignee set to Robin Mills
- % Done changed from 0 to 100
- Estimated time set to 1.00
Fix submitted: r4329. Thank You, Alyssa for reporting this. Apologies that it has taken so long to investigate this.
562 rmills@rmillsmbp:~/gnu/exiv2/trunk $ ls -alt ~/Downloads/*.crw -rw-r--r--@ 1 rmills staff 18 14 Jun 21:37 /Users/rmills/Downloads/bad-directory-offset.crw -rw-r--r--@ 1 rmills staff 30 14 Jun 21:17 /Users/rmills/Downloads/size-offset.crw 563 rmills@rmillsmbp:~/gnu/exiv2/trunk $ exiv2 ~/Downloads/*.crw Exiv2 exception in print action for file /Users/rmills/Downloads/bad-directory-offset.crw: This does not look like a CRW image Exiv2 exception in print action for file /Users/rmills/Downloads/size-offset.crw: Offset out of range 564 rmills@rmillsmbp:~/gnu/exiv2/trunk $