Blame SOURCES/exiv2-wrong-brackets.patch

4a042c
From 1e07c98dfcbd8ac10ee02088f08235f5e1700148 Mon Sep 17 00:00:00 2001
4a042c
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
4a042c
Date: Wed, 27 Sep 2017 23:38:49 +0200
4a042c
Subject: Fixed wrong brackets: size*count + pad can overflow before the cast
4a042c
4a042c
=> Should fix #76 (most of the work has been done by Robin Mills in
4a042c
   6e3855aed7ba8bb4731fc4087ca7f9078b2f3d97)
4a042c
4a042c
The problem with #76 is the contents of the 26th IFD, with the
4a042c
following contents:
4a042c
tag: 0x8649
4a042c
type: 0x1
4a042c
count: 0xffff ffff
4a042c
offset: 0x4974
4a042c
4a042c
The issue is the size of count (uint32_t), as adding anything to it
4a042c
causes an overflow. Especially the expression:
4a042c
(size*count + pad+20)
4a042c
results in an overflow and gives 20 as a result instead of
4a042c
0x100000014, thus the condition in the if in the next line is false
4a042c
and the program continues to run (until it crashes at io.read).
4a042c
4a042c
To properly account for the overflow, the brackets have to be removed,
4a042c
as then the result is saved in the correctly sized type and not cast
4a042c
after being calculated in the smaller type.
4a042c
4a042c
diff --git a/src/image.cpp b/src/image.cpp
4a042c
index ec5b873e..199671b9 100644
4a042c
--- a/src/image.cpp
4a042c
+++ b/src/image.cpp
4a042c
@@ -401,7 +401,7 @@ namespace Exiv2 {
4a042c
                 // if ( offset > io.size() ) offset = 0; // Denial of service?
4a042c
 
4a042c
                 // #55 memory allocation crash test/data/POC8
4a042c
-                long long allocate = (long long) (size*count + pad+20);
4a042c
+                long long allocate = (long long) size*count + pad+20;
4a042c
                 if ( allocate > (long long) io.size() ) {
4a042c
                     throw Error(57);
4a042c
                 }