From b5e8e99746ff1798ca54464c197b9c4c55db38ae Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Wed, 21 Aug 2019 17:17:54 +0100 Subject: [PATCH] fix a read-one-byte-beyond issue in jpeg load libvips could harmlessly read beyond the end of a string with a crafted jpg file --- ChangeLog | 1 + libvips/foreign/jpeg2vips.c | 7 +++++-- libvips/iofuncs/header.c | 7 +++++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02cf7e4c..42848727 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ - add locks for pdfium load - fix build with MSVC - fix a problem with shinkv tail processing [angelmixu] +- fix a read one byte beyond buffer bug in jpegload 24/5/19 started 8.8.1 - improve realpath() use on older libc diff --git a/libvips/foreign/jpeg2vips.c b/libvips/foreign/jpeg2vips.c index 8240b164..1060bc9e 100644 --- a/libvips/foreign/jpeg2vips.c +++ b/libvips/foreign/jpeg2vips.c @@ -338,13 +338,16 @@ attach_xmp_blob( VipsImage *im, void *data, int data_length ) char *p = (char *) data; int i; - if( !vips_isprefix( "http", p ) ) + if( data_length < 4 || + !vips_isprefix( "http", p ) ) return( 0 ); /* Search for a null char within the first few characters. 80 * should be plenty for a basic URL. + * + * -2 for the extra null. */ - for( i = 0; i < 80; i++ ) + for( i = 0; i < VIPS_MIN( 80, data_length - 2 ); i++ ) if( !p[i] ) break; if( p[i] ) diff --git a/libvips/iofuncs/header.c b/libvips/iofuncs/header.c index 2af3752d..62df5e9b 100644 --- a/libvips/iofuncs/header.c +++ b/libvips/iofuncs/header.c @@ -1451,12 +1451,15 @@ vips_image_set_blob_copy( VipsImage *image, { void *data_copy; + /* Cap at 100mb for sanity. + */ if( !data || - length == 0 ) + length == 0 || + length > 100 * 1024 * 1024 ) return; /* We add an extra, secret null byte at the end, just in case this blob - * is read as a C string. The libtiff reader (for example) attaches + * is read as a C string. The libtiff reader attaches * XMP XML as a blob, for example. */ if( !(data_copy = vips_malloc( NULL, length + 1 )) )