Bug #893

EPS: crash on invalid input

Added by Alyssa Milburn over 8 years ago. Updated about 5 years ago.

Target version:
Start date:
14 Mar 2013
Due date:
% Done:


Estimated time:


epsimage.cpp:329/335 don't detect overflow of pos+size (and don't error out in the read case anyway). You can crash 32-bit builds by passing invalid values in these fields and trying to read preview images (e.g. by passing 'extract -e p' to exiv2), since the check on preview.cpp:476 is overflowed too. Testcase attached.


bad-preview.eps (55 Bytes) bad-preview.eps Alyssa Milburn, 14 Mar 2013 14:46



Updated by Robin Mills over 8 years ago

  • Category set to metadata
  • Status changed from New to Assigned
  • Assignee set to Volker Grabsch
  • Target version set to 0.24


Our new friend Alyssa M has been very helpfully inspecting the code and has identified various matters in the Video code which Abhinav is fixing. Alyssa has now turned his (skillful) attention to the EPS code. I hope you'll be able to take a look. However if you don't have time, then please assign it back to me and I'll have a look.



Updated by Volker Grabsch over 8 years ago

  • Assignee changed from Volker Grabsch to Robin Mills

I'd love to fix it myself, but unfortunately my time is very limited at the moment. So I won't be able to provide a full fix.

It would be great if someone else could take care of this. I could then take a look at a proposed solution patch, if you want.

It seems that this issue only affects the "DOS-EPS" handling, and not the EPS parser itself. So I wouldn't expect much side-effects when fixing this issue. Also, I provided an almost exhaustive test suite which should give some confidence in the changes even for people who aren't fully into the EPS parsing stuff.

Finally, it would be great to have the provided example EPS file added the EPS testcases.



Updated by Robin Mills over 8 years ago

  • Target version changed from 0.24 to 0.25

Deferred to 0.25.


Updated by Robin Mills over 6 years ago

  • Target version changed from 0.25 to 0.26

Deferred to v0.26. Insufficient time to deal with this for v0.25.


Updated by Robin Mills over 6 years ago

  • Assignee deleted (Robin Mills)

Updated by Robin Mills about 5 years ago

  • Target version changed from 0.26 to 0.28

I've put in around 1200 hours of unpaid work to get to code complete v0.26 and closed almost 200 issues. Regrettably, there are only 5 or 6 issues on which I have not been able to work. This is one. Deferred for v0.27.

Also available in: Atom PDF