From 70567edd9fc8753cc176de02b1d96f504a14e82c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>

Date: Sun, 26 Mar 2017 01:10:11 -0400

Subject: [PATCH 2/5] Bug 100397 - Fix crash on malformed JPEG file

---

 source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp | 10 +++++++---

 source/XMPFiles/FormatSupport/TIFF_Support.hpp      | 13 ++++++++++++-

 source/common/EndianUtils.hpp                       |  9 +++++++++

 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp

index 316cea0..1446cb4 100644

--- a/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp

+++ b/source/XMPFiles/FormatSupport/TIFF_MemoryReader.cpp

@@ -65,7 +65,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD )

 		} else if ( thisTag == prevTag ) {

 			// Duplicate tag, keep the 2nd copy, move the tail of the array up, prevTag is unchanged.

-			memcpy ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) );	// AUDIT: Safe, moving tail forward, i >= 1.

+			memmove ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // may overlap -- Hub

 			--tagCount;

 			--i; // ! Don't move forward in the array, we've moved the unseen part up.

@@ -81,7 +81,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD )

 				// Out of order duplicate, move it to position j, move the tail of the array up.

 				ifdEntries[j] = ifdEntries[i];

-				memcpy ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) );	// AUDIT: Safe, moving tail forward, i >= 1.

+				memmove ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) );	// may overlap -- Hub

 				--tagCount;

 				--i; // ! Don't move forward in the array, we've moved the unseen part up.

@@ -212,7 +212,11 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con

 		info->dataLen = thisTag->bytes;

 		info->dataPtr = this->GetDataPtr ( thisTag );

-

+		// Here we know that if it is NULL, it is wrong. -- Hub

+		// GetDataPtr will return NULL in case of overflow.

+		if (info->dataPtr == NULL) {

+			return false;

+		}

 	}

 	return true;

diff --git a/source/XMPFiles/FormatSupport/TIFF_Support.hpp b/source/XMPFiles/FormatSupport/TIFF_Support.hpp

index 9af76c4..95badba 100644

--- a/source/XMPFiles/FormatSupport/TIFF_Support.hpp

+++ b/source/XMPFiles/FormatSupport/TIFF_Support.hpp

@@ -723,7 +723,18 @@ private:

 	const TweakedIFDEntry* FindTagInIFD ( XMP_Uns8 ifd, XMP_Uns16 id ) const;

 	const inline void* GetDataPtr ( const TweakedIFDEntry* tifdEntry ) const

-		{ if ( tifdEntry->bytes <= 4 ) return &tifdEntry->dataOrPos; else return (this->tiffStream + tifdEntry->dataOrPos); };

+		{ if ( GetUns32AsIs(&tifdEntry->bytes) <= 4 ) {

+			return &tifdEntry->dataOrPos;

+		  } else {

+			XMP_Uns32 pos = GetUns32AsIs(&tifdEntry->dataOrPos);

+			if (pos + GetUns32AsIs(&tifdEntry->bytes) > this->tiffLength) {

+				// Invalid file.

+				// The data is past the length of the TIFF.

+				return NULL;

+			}

+			return (this->tiffStream + pos);

+		  }

+		}

 	static inline void NotAppropriate() { XMP_Throw ( "Not appropriate for TIFF_Reader", kXMPErr_InternalFailure ); };

diff --git a/source/common/EndianUtils.hpp b/source/common/EndianUtils.hpp

index 59e2e32..0e2e2fe 100644

--- a/source/common/EndianUtils.hpp

+++ b/source/common/EndianUtils.hpp

@@ -148,6 +148,15 @@ GetUns32LE ( const void * addr )

 // -------------------------------------------------------------------------------------------------

+static inline XMP_Uns32

+GetUns32AsIs ( const void * addr )

+{

+	XMP_Uns32 value = *((XMP_Uns32*)addr);

+	return value;   // Use this to avoid SPARC failure to handle unaligned loads and stores.

+}

+

+// -------------------------------------------------------------------------------------------------

+

 static inline XMP_Uns64

 GetUns64BE ( const void * addr )

 {

-- 

2.17.2