Fix/tiff readtiffentry uint32 overflow#3529
Open
blackcaesar0 wants to merge 2629 commits intoExiv2:0.27-maintenancefrom
Open
Fix/tiff readtiffentry uint32 overflow#3529blackcaesar0 wants to merge 2629 commits intoExiv2:0.27-maintenancefrom
blackcaesar0 wants to merge 2629 commits intoExiv2:0.27-maintenancefrom
Conversation
It looks like clang-tidy messed up the parentheses here. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
These are already deleted. No need to be explicit. Signed-off-by: Rosen Penev <rosenp@gmail.com>
found with performance-inefficient-string-concatenation Signed-off-by: Rosen Penev <rosenp@gmail.com>
This pointer was converted to unique_ptr a while back, which deleted copying functions anyway. No need for this anymore. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Mo need for the full blown thing. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Should result in slightly faster compilation. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Just like the others Also add some comments to deletes functions for the same reason. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Simpler. Signed-off-by: Rosen Penev <rosenp@gmail.com>
They can be generated automatically. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This prints the ASCII value, not the number. Adding a + avoids the warning. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Instead of deleting all the subclasses, delete the base. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Localization is not implemented. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Bumps [cygwin/cygwin-install-action](https://github.com/cygwin/cygwin-install-action) from 5 to 6. - [Release notes](https://github.com/cygwin/cygwin-install-action/releases) - [Commits](cygwin/cygwin-install-action@v5...v6) --- updated-dependencies: - dependency-name: cygwin/cygwin-install-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
This might fix bogus MSVC problems with header includes. Signed-off-by: Rosen Penev <rosenp@gmail.com>
It inherits from std::exception anyway. Signed-off-by: Rosen Penev <rosenp@gmail.com>
All EXIV2API declarations are in include except for this one, which is meant to be internal anyway. Signed-off-by: Rosen Penev <rosenp@gmail.com>
Remove CodeSee
Upload crash files when fuzzing fails
Remove nightly release
fix wrong timescale used to calculate fps
Reintroduces lens IDs lost in 8859209. Fixes Exiv2#1420. Signed-off-by: Miloš Komarčević <miloskomarcevic@aim.com> (cherry picked from commit ff7bdd6)
A follow-up to Exiv2#3479
Use last versions available for 1.x
(cherry picked from commit 9abf98a)
Add build provenance attestation
Add fuzz target for previews
(cherry picked from commit 2f14410)
add enforce to prevent integer overflow
Add enforce to check for integer overflow
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 3.2.0 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@96278af...a2bbfa2) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
readTiffEntry: offset bounds check wraps on overflow
description:
baseOffset() and offset are both uint32_t so when you add them the
result can wrap. If it wraps to something below size_ the check passes
and pData ends up pointing past the buffer — Value::read() then reads
from memory it has no business touching.
On 64-bit the uintptr_t guard at line 1612 usually saves you. On 32-bit
That guard is the same width so it wraps just the same, Value::read()
dereferences the bad address and you get heap corruption and a SIGSEGV.
I ran into this through kioslave5 crashing on certain JPEGs.
Cast both sides to uint64_t before the addition — wide enough that the
sum of any two uint32_t values can't wrap. I also dropped the second
condition (static_cast<int32_t>(baseOffset()) + offset <= 0) because
the cast doesn't actually change the arithmetic, it just catches the
exact wrap-to-zero case and nothing else.
lines related: #193, #1536