Hi,
I wrote a fuzzer program and try it on all programs. I found a serious bug in your libexif library!
At libexif/exif-data.c line 186, function exif_data_load_data_entry():
/* Sanity check */
if (size < doff + s)
return;
entry->data = exif_data_alloc (data, s);
if (entry->data) {
entry->size = s;
memcpy (entry->data, d + doff, s);
}
Your code looks valid but looks try with:
s=296
doff=4294901874
s=65535
doff+s is 4294967409 and 4294967409 is smaller than s. Ok but we are in C world and C language use modulo 2^32 (2^sizeof(int)) and so: doff+s is 113 !
I don't know how to detect overflow but I wrote these other tests:
if (size < s)
return;
if (size < doff)
return;
A better idea would be to check s and doff value since doff bigger than file size and/or bigger than 2^31 looks to be an invalid value.
Victor
File to crash libexif
Logged In: YES
user_id=365388
Originator: YES
File Added: crash_libexif.jpg
Logged In: YES
user_id=59853
Originator: NO
The easy fix is to catch the integer overflow with a (doff+s < doff || doff+s < s) check. This fix is in CVS and today's 0.6.14 security fix release.
It would be even better to compare s and doff to size and layout of the EXIF file, but that would need non-trivial changes and additions to the code to keep track of and pass around the legal file offset ranges.