diff --git a/ChangeLog b/ChangeLog index 162ba56f..44227131 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,8 @@ - fix build with GM - add locks for pdfium load - fix build with MSVC +- fix a problem with shinkv tail processing [angelmixu] +- fix a read one byte beyond buffer bug in jpegload 24/5/19 started 8.8.1 - improve realpath() use on older libc diff --git a/fuzz/common_fuzzer_corpus/clusterfuzz-testcase-minimized-jpegsave_buffer_fuzzer-5673786296238080 b/fuzz/common_fuzzer_corpus/clusterfuzz-testcase-minimized-jpegsave_buffer_fuzzer-5673786296238080 new file mode 100644 index 00000000..447f0f65 Binary files /dev/null and b/fuzz/common_fuzzer_corpus/clusterfuzz-testcase-minimized-jpegsave_buffer_fuzzer-5673786296238080 differ diff --git a/libvips/foreign/jpeg2vips.c b/libvips/foreign/jpeg2vips.c index aacb6918..8ae2782e 100644 --- a/libvips/foreign/jpeg2vips.c +++ b/libvips/foreign/jpeg2vips.c @@ -344,13 +344,16 @@ attach_xmp_blob( VipsImage *im, void *data, int data_length ) char *p = (char *) data; int i; - if( !vips_isprefix( "http", p ) ) + if( data_length < 4 || + !vips_isprefix( "http", p ) ) return( 0 ); /* Search for a null char within the first few characters. 80 * should be plenty for a basic URL. + * + * -2 for the extra null. */ - for( i = 0; i < 80; i++ ) + for( i = 0; i < VIPS_MIN( 80, data_length - 2 ); i++ ) if( !p[i] ) break; if( p[i] ) diff --git a/libvips/iofuncs/header.c b/libvips/iofuncs/header.c index cc23e674..79bf8b1a 100644 --- a/libvips/iofuncs/header.c +++ b/libvips/iofuncs/header.c @@ -1454,12 +1454,15 @@ vips_image_set_blob_copy( VipsImage *image, { void *data_copy; + /* Cap at 100mb for sanity. + */ if( !data || - length == 0 ) + length == 0 || + length > 100 * 1024 * 1024 ) return; /* We add an extra, secret null byte at the end, just in case this blob - * is read as a C string. The libtiff reader (for example) attaches + * is read as a C string. The libtiff reader attaches * XMP XML as a blob, for example. */ if( !(data_copy = vips_malloc( NULL, length + 1 )) )