Bug 100320

Summary: Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Product: WebKit Reporter: Nico Weber <thakis>
Component: New BugsAssignee: Nico Weber <thakis>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, noel.gordon, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 100191    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Description Nico Weber 2012-10-24 19:49:50 PDT
Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Comment 1 Nico Weber 2012-10-24 19:50:06 PDT
Created attachment 170540 [details]
Patch
Comment 2 Nico Weber 2012-10-25 12:38:03 PDT
Comment on attachment 170540 [details]
Patch

Sounds like the security folks are still tweaking what to do here.
Comment 3 Nico Weber 2012-10-29 15:48:35 PDT
Created attachment 171328 [details]
Patch
Comment 4 Eric Seidel (no email) 2012-10-29 16:32:50 PDT
Comment on attachment 171328 [details]
Patch

This is really a Noel review.  If he says LGTM, then I'm happy to r+.
Comment 5 Eric Seidel (no email) 2012-10-29 16:33:15 PDT
Noel really should add himself to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/watchlist for all the decoder files. :)
Comment 6 Nico Weber 2012-10-30 08:34:40 PDT
Created attachment 171460 [details]
Patch
Comment 7 Nico Weber 2012-10-30 15:20:03 PDT
Sounds like folks are happy with this. Can I get r+?
Comment 8 Eric Seidel (no email) 2012-10-30 15:30:01 PDT
Comment on attachment 171460 [details]
Patch

I assume Noel had a chance to look (and may have just commented to you over IRC)?
Comment 9 Eric Seidel (no email) 2012-10-30 15:30:23 PDT
Comment on attachment 171460 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=171460&action=review

> Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp:192
> +        if (marker->data_length < 6 || ifdOffset >= marker->data_length - 6)
> +            continue;
>          ifdOffset += 6; // Account for 'Exif\0<fill byte>' header.

6 should probably be a constant with a nice name instead.
Comment 10 Nico Weber 2012-10-30 15:39:31 PDT
Created attachment 171534 [details]
Patch for landing
Comment 11 Nico Weber 2012-10-30 15:40:05 PDT
Created attachment 171535 [details]
Patch for landing
Comment 12 noel gordon 2012-10-30 16:38:02 PDT
LGTM.
Comment 13 WebKit Review Bot 2012-10-30 16:44:07 PDT
Comment on attachment 171535 [details]
Patch for landing

Clearing flags on attachment: 171535

Committed r132961: <http://trac.webkit.org/changeset/132961>
Comment 14 WebKit Review Bot 2012-10-30 16:44:11 PDT
All reviewed patches have been landed.  Closing bug.