fix incorrect loop condition (#1752)

Exiv2 · Jul 1, 2021 · d30c95d · d30c95d
1 parent 5ab3f2b
commit d30c95d
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 7 deletions.
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
@@ -655,7 +655,7 @@ static void boxes_check(size_t b,size_t m)
         auto p = reinterpret_cast<char*>(boxBuf.pData_);
         bool          bWroteColor = false ;
 
-        while ( count < length || !bWroteColor ) {
+        while ( count < length && !bWroteColor ) {
             enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
             auto pSubBox = reinterpret_cast<Jp2BoxHeader*>(p + count);
 

diff --git a/test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 b/test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-from system_tests import CaseMeta, path
-
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
 
 class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
     """
@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
     """
     url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
 
-    filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
-    filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+    filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
+    filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
     commands = ["$exiv2 in $filename1"]
     stdout = [""]
     stderr = [
 """Error: XMP Toolkit error 201: XML parsing failure
 Warning: Failed to decode XMP metadata.
-$filename1: Could not write metadata to file: $kerCorruptedMetadata
 """]
-    retval = [1]
+    retval = [0]
diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
+@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+
+class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta):
+    """
+    Regression test for the bug described in:
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
+    """
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v"
+
+    filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+    commands = ["$exiv2 rm $filename"]
+    stdout = [""]
+    retval = [0]
+
+    compare_stderr = check_no_ASAN_UBSAN_errors