Merge pull request #2348 from kevinbackhouse/fix-issue-2270

Don't allow zero width/height in WebPImage::inject_VP8X
Exiv2 · Sep 8, 2022 · d2253c9 · d2253c9
2 parents 2482159 + bf151a1
commit d2253c9
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/src/webpimage.cpp b/src/webpimage.cpp
@@ -752,12 +752,14 @@ void WebPImage::inject_VP8X(BasicIo& iIo, bool has_xmp, bool has_exif, bool has_
   }
 
   /* set width - stored in 24bits*/
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
   uint32_t w = width - 1;
   data[4] = w & 0xFF;
   data[5] = (w >> 8) & 0xFF;
   data[6] = (w >> 16) & 0xFF;
 
   /* set height - stored in 24bits */
+  enforce(width > 0, Exiv2::ErrorCode::kerCorruptedMetadata);
   uint32_t h = height - 1;
   data[7] = h & 0xFF;
   data[8] = (h >> 8) & 0xFF;

diff --git a/test/data/issue_2270_poc.webp b/test/data/issue_2270_poc.webp
diff --git a/tests/bugfixes/github/test_issue_2270.py b/tests/bugfixes/github/test_issue_2270.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_2270_poc.webp")
+
+class WebPImage_inject_VP8X_integer_overflow(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/issues/2270
+    """
+    url = "https://github.com/Exiv2/exiv2/issues/2270"
+
+    filename = path("$tmp_path/issue_2270_poc.webp")
+    commands = ["$exiv2 rm $filename"]
+    stdout = [""]
+    stderr = [
+        """$exception_in_erase """ + filename + """:
+$kerCorruptedMetadata
+"""]
+    retval = [1]
diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
@@ -94,6 +94,7 @@ def get_valid_files(data_dir):
         "issue_2160_poc.jpg",
         "issue_2178_poc.jp2",
         "issue_2268_poc.jp2",
+        "issue_2270_poc.webp",
         "issue_2320_poc.jpg",
         "issue_2339_poc.tiff",
         "issue_ghsa_583f_w9pm_99r2_poc.jp2",