Bug #534
Integer overflow when reading thumbnail
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Mail from "Meder Kydyraliev" <meder@google.com>, 14-Dec-07:
---
Test: [fuzz-118.jpg] IFD1's (thumbnail IFD) JpegIFOffset(0x0201) and
JpegIFByteCount(0x0202) are set to values that overflow if added
exiv2-0.16-pre1:
- Test leads to an integer overflow in JpegThumbnail::setDataArea():
exif.cpp:...
308 if (len < offset + size) return 2;
309 format->setDataArea(buf + offset, size);
...value.hpp:1600 template<typename T>
1601 inline int ValueType<T>::setDataArea(const byte* buf, long len)
1602 {
1603 byte* tmp = 0;
1604 if (len > 0) {
1605 tmp = new byte[len];
1606 std::memcpy(tmp, buf, len);
1607 }It seems like TiffThumbnail::setDataArea() might also have this problem.Please credit "Meder Kydyraliev, Google Security Team" in any advisories
relating to these issues.
Files
