There is a bug at webpimage.cpp:515. If filesize < io_->tell() then the subtraction overflows and the bounds check on size is ineffective.
There is an additional problem in this function, which is that the error conditions are not checked after the calls to io_->read. Calls to io_->read should always be followed by calls to io_->error() and io_->eof(), to make sure that the buffer was read successfully. This means that the code does not notice that the file size is much smaller than the value of size would suggest. This has enabled me to write a PoC which causes exiv2 to run for almost a minute, scanning 4GB of uninitialized memory.
Here is the PoC, which I have tested on master (55dfdb9):
. You can run the PoC like this to see the long-running behavior:
$ time exiv2 poc1.jpg
File name : poc1.jpg
File size : 28 Bytes
MIME type : image/webp
Image size : 0 x 0
poc1.jpg: No Exif data found in the file
real 0m52.738s
user 0m50.621s
sys 0m2.108s
Or if you use ulimit to lower the maximum allocation size to less than 4GB then exiv2 will crash:
$ ulimit -v 4000000
$ exiv2 poc1.jpg
Uncaught exception: std::bad_alloc
There is a bug at webpimage.cpp:515. If
filesize < io_->tell()then the subtraction overflows and the bounds check onsizeis ineffective.There is an additional problem in this function, which is that the error conditions are not checked after the calls to
io_->read. Calls toio_->readshould always be followed by calls toio_->error()andio_->eof(), to make sure that the buffer was read successfully. This means that the code does not notice that the file size is much smaller than the value ofsizewould suggest. This has enabled me to write a PoC which causes exiv2 to run for almost a minute, scanning 4GB of uninitialized memory.Here is the PoC, which I have tested on master (55dfdb9):
. You can run the PoC like this to see the long-running behavior:
Or if you use
ulimitto lower the maximum allocation size to less than 4GB then exiv2 will crash: