[prev in list] [next in list] [prev in thread] [next in thread]
List: graphicsmagick-commit
Subject: [GM-commit] GraphicsMagick: FindEXIFAttribute()/GenerateEXIFAttribute(): Cha...
From: GraphicsMagick Commits <graphicsmagick-commit () lists ! sourceforge ! net>
Date: 2018-09-09 18:00:17
Message-ID: mailman.10349.1536516025.1409.graphicsmagick-commit () lists ! sourceforge ! net
[Download RAW message or body]
changeset f6aab6087677 in /hg/GraphicsMagick
details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=f6aab6087677
summary: FindEXIFAttribute()/GenerateEXIFAttribute(): Change size types from signed \
to unsigned and check for unsigned overflow.
diffstat:
ChangeLog | 7 +++++
magick/attribute.c | 64 +++++++++++++++++++++++++++++++----------------------
www/Changelog.html | 6 +++++
3 files changed, 50 insertions(+), 27 deletions(-)
diffs (207 lines):
diff -r dfe0ac275b84 -r f6aab6087677 ChangeLog
--- a/ChangeLog Sun Sep 09 09:49:12 2018 -0500
+++ b/ChangeLog Sun Sep 09 13:00:14 2018 -0500
@@ -1,5 +1,12 @@
2018-09-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * magick/attribute.c (FindEXIFAttribute): Change size types from
+ signed to unsigned and check for unsigned overflow.
+ (GenerateEXIFAttribute): Change size types from signed to unsigned
+ and check for unsigned overflow. Fixes oss-fuzz 10283
+ "graphicsmagick/coder_JPG_fuzzer: Integer-overflow in
+ GenerateEXIFAttribute". (Credit to OSS-Fuzz)
+
* coders/sfw.c (ReadSFWImage): Enforce that file is read using the
JPEG reader. (Credit to OSS-Fuzz)
diff -r dfe0ac275b84 -r f6aab6087677 magick/attribute.c
--- a/magick/attribute.c Sun Sep 09 09:49:12 2018 -0500
+++ b/magick/attribute.c Sun Sep 09 13:00:14 2018 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2017 GraphicsMagick Group
+% Copyright (C) 2003-2018 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
%
% This program is covered by multiple licenses, which are described in
@@ -1367,12 +1367,12 @@
*/
static const char *
-EXIFTagToDescription(int t, char *tag_description)
+EXIFTagToDescription(unsigned int t, char *tag_description)
{
unsigned int
i;
- for (i=0; i < sizeof(tag_table)/sizeof(tag_table[0]); i++)
+ for (i=0; i < ArraySize(tag_table); i++)
{
if (tag_table[i].tag == t)
{
@@ -1403,7 +1403,7 @@
}
static const char *
-EXIFFormatToDescription(int f)
+EXIFFormatToDescription(unsigned int f)
{
const char
*description;
@@ -1453,7 +1453,7 @@
return description;
}
-static int
+static unsigned int
format_bytes[] =
{
0,
@@ -1592,7 +1592,7 @@
MagickBool
debug=MagickFalse;
- assert((sizeof(format_bytes)/sizeof(format_bytes[0])-1) == EXIF_NUM_FORMATS);
+ assert((ArraySize(format_bytes)-1) == EXIF_NUM_FORMATS);
{
const char *
@@ -1771,13 +1771,13 @@
nde=MAX_TAGS_PER_IFD;
for (; de < nde; de++)
{
- unsigned int
+ size_t
n;
- int
- t,
+ unsigned int
+ c,
f,
- c;
+ t;
unsigned char
*pde,
@@ -1792,11 +1792,16 @@
}
t=Read16u(morder,pde); /* get tag value */
f=Read16u(morder,pde+2); /* get the format */
- if ((f < 0) ||
- ((size_t) f >= sizeof(format_bytes)/sizeof(format_bytes[0])))
+ if ((size_t) f >= ArraySize(format_bytes))
break;
- c=(long) Read32u(morder,pde+4); /* get number of components */
- n=c*format_bytes[f];
+ c=Read32u(morder,pde+4); /* get number of components */
+ n=MagickArraySize(c,format_bytes[f]);
+ if ((n == 0) && (c != 0) && (format_bytes[f] != 0))
+ {
+ if (debug)
+ fprintf(stderr, "EXIF: Invalid Exif, too many components \
(%u).\n",c); + goto generate_attribute_failure;
+ }
if (n <= 4)
pval=(unsigned char *) pde+8;
else
@@ -1817,7 +1822,7 @@
{
fprintf(stderr,
"EXIF: TagVal=%d TagDescr=\"%s\" Format=%d "
- "FormatDescr=\"%s\" Components=%d\n",t,
+ "FormatDescr=\"%s\" Components=%u\n",t,
EXIFTagToDescription(t,tag_description),f,
EXIFFormatToDescription(f),c);
}
@@ -1853,7 +1858,7 @@
it was not requested, then we don't return a string value
for it.
*/
- if (all || (tag == t) || (GPS_OFFSET == t))
+ if (all || (tag == (int) t) || (GPS_OFFSET == t))
{
char
s[MaxTextExtent];
@@ -1912,7 +1917,7 @@
/*
Only report value if this tag was requested.
*/
- if (all || (tag == t))
+ if (all || (tag == (int) t))
{
FormatString(s,"%lu",offset);
value=AllocateString(s);
@@ -2592,7 +2597,7 @@
attribp = (unsigned char *)NULL;
- assert((sizeof(format_bytes)/sizeof(format_bytes[0])-1) == EXIF_NUM_FORMATS);
+ assert((ArraySize(format_bytes)-1) == EXIF_NUM_FORMATS);
{
const char *
@@ -2678,13 +2683,13 @@
nde=MAX_TAGS_PER_IFD;
for (; de < nde; de++)
{
- unsigned int
+ size_t
n;
- int
- t,
+ unsigned int
+ c,
f,
- c;
+ t;
unsigned char
*pde,
@@ -2700,11 +2705,16 @@
}
t=Read16u(morder,pde); /* get tag value */
f=Read16u(morder,pde+2); /* get the format */
- if ((f < 0) ||
- ((size_t) f >= sizeof(format_bytes)/sizeof(format_bytes[0])))
+ if ((size_t) f >= ArraySize(format_bytes))
break;
- c=(long) Read32u(morder,pde+4); /* get number of components */
- n=c*format_bytes[f];
+ c=Read32u(morder,pde+4); /* get number of components */
+ n=MagickArraySize(c,format_bytes[f]);
+ if ((n == 0) && (c != 0) && (format_bytes[f] != 0))
+ {
+ if (debug)
+ fprintf(stderr, "EXIF: Invalid Exif, too many components \
(%u).\n",c); + goto find_attribute_failure;
+ }
if (n <= 4)
pval=(unsigned char *) pde+8;
else
@@ -2725,7 +2735,7 @@
{
fprintf(stderr,
"EXIF: TagVal=%d TagDescr=\"%s\" Format=%d "
- "FormatDescr=\"%s\" Components=%d\n",t,
+ "FormatDescr=\"%s\" Components=%u\n",t,
EXIFTagToDescription(t,tag_description),f,
EXIFFormatToDescription(f),c);
}
diff -r dfe0ac275b84 -r f6aab6087677 www/Changelog.html
--- a/www/Changelog.html Sun Sep 09 09:49:12 2018 -0500
+++ b/www/Changelog.html Sun Sep 09 13:00:14 2018 -0500
@@ -38,6 +38,12 @@
<p>2018-09-09 Bob Friesenhahn <<a class="reference external" \
href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span> \
4;</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">
+<li>magick/attribute.c (FindEXIFAttribute): Change size types from
+signed to unsigned and check for unsigned overflow.
+(GenerateEXIFAttribute): Change size types from signed to unsigned
+and check for unsigned overflow. Fixes oss-fuzz 10283
+"graphicsmagick/coder_JPG_fuzzer: Integer-overflow in
+GenerateEXIFAttribute". (Credit to OSS-Fuzz)</li>
<li>coders/sfw.c (ReadSFWImage): Enforce that file is read using the
JPEG reader. (Credit to OSS-Fuzz)</li>
<li>coders/miff.c (ReadMIFFImage): Fix leak of 'values' buffer due
_______________________________________________
Graphicsmagick-commit mailing list
Graphicsmagick-commit@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-commit
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic