Bug 100320 - Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Summary: Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nico Weber
URL:
Keywords:
Depends on:
Blocks: 100191
  Show dependency treegraph
 
Reported: 2012-10-24 19:49 PDT by Nico Weber
Modified: 2012-10-30 16:44 PDT (History)
3 users (show)

See Also:

Attachments
Patch (1.51 KB, patch)
2012-10-24 19:50 PDT, Nico Weber 		no flags Details | Formatted Diff | Diff
Patch (1.81 KB, patch)
2012-10-29 15:48 PDT, Nico Weber 		no flags Details | Formatted Diff | Diff
Patch (1.79 KB, patch)
2012-10-30 08:34 PDT, Nico Weber 		no flags Details | Formatted Diff | Diff
Patch for landing (2.07 KB, patch)
2012-10-30 15:39 PDT, Nico Weber 		no flags Details | Formatted Diff | Diff
Patch for landing (2.03 KB, patch)
2012-10-30 15:40 PDT, Nico Weber 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Weber 2012-10-24 19:49:50 PDT 
Fix potential overflow in jpeg exif reader. Found by aedla@google.com.
Comment 1 Nico Weber 2012-10-24 19:50:06 PDT 
Created attachment 170540 [details]
Patch
Comment 2 Nico Weber 2012-10-25 12:38:03 PDT 
Comment on attachment 170540 [details]
Patch

Sounds like the security folks are still tweaking what to do here.
Comment 3 Nico Weber 2012-10-29 15:48:35 PDT 
Created attachment 171328 [details]
Patch
Comment 4 Eric Seidel (no email) 2012-10-29 16:32:50 PDT 
Comment on attachment 171328 [details]
Patch

This is really a Noel review.  If he says LGTM, then I'm happy to r+.
Comment 5 Eric Seidel (no email) 2012-10-29 16:33:15 PDT 
Noel really should add himself to http://trac.webkit.org/browser/trunk/Tools/Scripts/webkitpy/common/config/watchlist for all the decoder files. :)
Comment 6 Nico Weber 2012-10-30 08:34:40 PDT 
Created attachment 171460 [details]
Patch
Comment 7 Nico Weber 2012-10-30 15:20:03 PDT 
Sounds like folks are happy with this. Can I get r+?
Comment 8 Eric Seidel (no email) 2012-10-30 15:30:01 PDT 
Comment on attachment 171460 [details]
Patch

I assume Noel had a chance to look (and may have just commented to you over IRC)?
Comment 9 Eric Seidel (no email) 2012-10-30 15:30:23 PDT 
Comment on attachment 171460 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=171460&action=review

> Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp:192
> +        if (marker->data_length < 6 || ifdOffset >= marker->data_length - 6)
> +            continue;
>          ifdOffset += 6; // Account for 'Exif\0<fill byte>' header.

6 should probably be a constant with a nice name instead.
Comment 10 Nico Weber 2012-10-30 15:39:31 PDT 
Created attachment 171534 [details]
Patch for landing
Comment 11 Nico Weber 2012-10-30 15:40:05 PDT 
Created attachment 171535 [details]
Patch for landing
Comment 12 noel gordon 2012-10-30 16:38:02 PDT 
LGTM.
Comment 13 WebKit Review Bot 2012-10-30 16:44:07 PDT 
Comment on attachment 171535 [details]
Patch for landing

Clearing flags on attachment: 171535

Committed r132961: <http://trac.webkit.org/changeset/132961>
Comment 14 WebKit Review Bot 2012-10-30 16:44:11 PDT 
All reviewed patches have been landed.  Closing bug.