Bug 100320

Summary: Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Product: WebKit Reporter: Nico Weber <thakis>
Component: New BugsAssignee: Nico Weber <thakis>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, noel.gordon, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 100191    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Nico Weber
Reported 2012-10-24 19:49:50 PDT
Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Attachments
Patch (1.51 KB, patch)
2012-10-24 19:50 PDT, Nico Weber 		no flags
DetailsFormatted DiffDiff
Patch (1.81 KB, patch)
2012-10-29 15:48 PDT, Nico Weber 		no flags
DetailsFormatted DiffDiff
Patch (1.79 KB, patch)
2012-10-30 08:34 PDT, Nico Weber 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.07 KB, patch)
2012-10-30 15:39 PDT, Nico Weber 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.03 KB, patch)
2012-10-30 15:40 PDT, Nico Weber 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Nico Weber
Comment 1 2012-10-24 19:50:06 PDT
Created attachment 170540 [details] Patch
Nico Weber
Comment 2 2012-10-25 12:38:03 PDT
Comment on attachment 170540 [details] Patch Sounds like the security folks are still tweaking what to do here.
Nico Weber
Comment 3 2012-10-29 15:48:35 PDT
Created attachment 171328 [details] Patch
Eric Seidel (no email)
Comment 4 2012-10-29 16:32:50 PDT
Comment on attachment 171328 [details] Patch This is really a Noel review. If he says LGTM, then I'm happy to r+.
Eric Seidel (no email)
Comment 5 2012-10-29 16:33:15 PDT
Noel really should add himself to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/watchlist for all the decoder files. :)
Nico Weber
Comment 6 2012-10-30 08:34:40 PDT
Created attachment 171460 [details] Patch
Nico Weber
Comment 7 2012-10-30 15:20:03 PDT
Sounds like folks are happy with this. Can I get r+?
Eric Seidel (no email)
Comment 8 2012-10-30 15:30:01 PDT
Comment on attachment 171460 [details] Patch I assume Noel had a chance to look (and may have just commented to you over IRC)?
Eric Seidel (no email)
Comment 9 2012-10-30 15:30:23 PDT
Comment on attachment 171460 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=171460&action=review > Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp:192 > + if (marker->data_length < 6 || ifdOffset >= marker->data_length - 6) > + continue; > ifdOffset += 6; // Account for 'Exif\0<fill byte>' header. 6 should probably be a constant with a nice name instead.
Nico Weber
Comment 10 2012-10-30 15:39:31 PDT
Created attachment 171534 [details] Patch for landing
Nico Weber
Comment 11 2012-10-30 15:40:05 PDT
Created attachment 171535 [details] Patch for landing
noel gordon
Comment 12 2012-10-30 16:38:02 PDT
LGTM.
WebKit Review Bot
Comment 13 2012-10-30 16:44:07 PDT
Comment on attachment 171535 [details] Patch for landing Clearing flags on attachment: 171535 Committed r132961: <http://trac.webkit.org/changeset/132961>
WebKit Review Bot
Comment 14 2012-10-30 16:44:11 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.