CRW: crashes when passed invalid data
crwimage.cpp is missing some sanity checks, leading to crashes when trying to load malformed CRW files.
The offset sanity check in readDirectory on line 460 can be overflowed, leading to a crash on the next line on 64-bit machines.
The size and offset read in doRead on lines 423 and 424 aren't sanity-checked, leading to a crash in later code when passed invalid size/offset values.
Two testcases attached.
Updated by Robin Mills about 3 years ago
- Category changed from exif to image format
- Status changed from Assigned to Closed
- Assignee set to Robin Mills
- % Done changed from 0 to 100
- Estimated time set to 1.00 h
Fix submitted: r4329. Thank You, Alyssa for reporting this. Apologies that it has taken so long to investigate this.
562 rmills@rmillsmbp:~/gnu/exiv2/trunk $ ls -alt ~/Downloads/*.crw -rw-r--r--@ 1 rmills staff 18 14 Jun 21:37 /Users/rmills/Downloads/bad-directory-offset.crw -rw-r--r--@ 1 rmills staff 30 14 Jun 21:17 /Users/rmills/Downloads/size-offset.crw 563 rmills@rmillsmbp:~/gnu/exiv2/trunk $ exiv2 ~/Downloads/*.crw Exiv2 exception in print action for file /Users/rmills/Downloads/bad-directory-offset.crw: This does not look like a CRW image Exiv2 exception in print action for file /Users/rmills/Downloads/size-offset.crw: Offset out of range 564 rmills@rmillsmbp:~/gnu/exiv2/trunk $