Bug #889
CRW: crashes when passed invalid data
Start date:
11 Mar 2013
Due date:
% Done:
100%
Estimated time:
1.00 h
Description
crwimage.cpp is missing some sanity checks, leading to crashes when trying to load malformed CRW files.
The offset sanity check in readDirectory on line 460 can be overflowed, leading to a crash on the next line on 64-bit machines.
The size and offset read in doRead on lines 423 and 424 aren't sanity-checked, leading to a crash in later code when passed invalid size/offset values.
Two testcases attached.
Files
Associated revisions
History
Updated by Robin Mills over 8 years ago
- Category set to exif
- Status changed from New to Assigned
- Assignee set to Robin Mills
- Target version set to 0.24
Thanks, Alyssa. I'll take a look at this.
Updated by Robin Mills over 6 years ago
- Target version changed from 0.25 to 0.26
Deferred to v0.26. Insufficient time to deal with this for v0.25.
Updated by Robin Mills over 5 years ago
- Category changed from exif to image format
- Status changed from Assigned to Closed
- Assignee set to Robin Mills
- % Done changed from 0 to 100
- Estimated time set to 1.00 h
Fix submitted: r4329. Thank You, Alyssa for reporting this. Apologies that it has taken so long to investigate this.
562 rmills@rmillsmbp:~/gnu/exiv2/trunk $ ls -alt ~/Downloads/*.crw -rw-r--r--@ 1 rmills staff 18 14 Jun 21:37 /Users/rmills/Downloads/bad-directory-offset.crw -rw-r--r--@ 1 rmills staff 30 14 Jun 21:17 /Users/rmills/Downloads/size-offset.crw 563 rmills@rmillsmbp:~/gnu/exiv2/trunk $ exiv2 ~/Downloads/*.crw Exiv2 exception in print action for file /Users/rmills/Downloads/bad-directory-offset.crw: This does not look like a CRW image Exiv2 exception in print action for file /Users/rmills/Downloads/size-offset.crw: Offset out of range 564 rmills@rmillsmbp:~/gnu/exiv2/trunk $
#889. Fix submitted. Thanks to Alyssa for reporting this. Apologies for taking so long to investigate.