From 45503a7e12d5b3bcb4abf5c75bf8074a4dbc379c Mon Sep 17 00:00:00 2001 From: Lovell Fuller Date: Mon, 2 Nov 2020 19:47:41 +0000 Subject: [PATCH] Ensure box clap values are sanitised Add two test cases to fuzz corpus to help prevent regression Prevents possible integer overflows and floating point exceptions --- fuzzing/corpus/github_367_1.heic | Bin 0 -> 4914 bytes fuzzing/corpus/github_367_2.heic | Bin 0 -> 4914 bytes libheif/box.cc | 12 ++++-------- 3 files changed, 4 insertions(+), 8 deletions(-) create mode 100644 fuzzing/corpus/github_367_1.heic create mode 100644 fuzzing/corpus/github_367_2.heic diff --git a/fuzzing/corpus/github_367_1.heic b/fuzzing/corpus/github_367_1.heic new file mode 100644 index 0000000000000000000000000000000000000000..7cd2a066d992cdb869d70a1c475c5a07600d9102 GIT binary patch literal 4914 zcmbtYX>e4>5$?CUl2!-O>INau(}@t0&?0QG3}}(SmMAddup__$wsu$2OLV-fmT-ii zm4pm9E&>IKAtq(6%29C@@FOWx5D+q{r4mvB+X2UwI6yFEAgOQ|0s;Bun|^yd3CNG6 ztF~vlr{{Px-QV;q5shr}tyNn*ii<#PN|Rl$r)ITzd`==+sPkIftzJmWUGeHhP0BLzI3oCQ(#GS)yzc6I~~Yjwr=M!cw9b zqtY8xS`Eqt?V9^5q7f8pP%aL2k25Hhc8ABL`6Y^vC?B_kEE6Ki^mp5vzRRRO#($kc-rzw*S$}a2$Pn2R%V$74QOdYD!XHR=lIhN85%EsUqWo3}o z#m8a(BC?;E!z`ui*yNE0rP5yH$rC$2ij@`OxYGA-5AJ-HERGoMP_7meJ%Z(Ewk&2P zQP475DE+#JbcQzh>rnc>7IvFg_%p{6tq-|Pa>z1=#|&F`vZXv!d4`p_5#?jWADkU4 zG`M0=ng29pfl%Tj5Fn9VDtyv1O4BT#x0on3;WnIMQD~jxXl#pjDb{J>=(^fjnlE1x-G7V!k>mE{Wu%yt2 zOf)E!c2ga9$Ke{f^Ex@wo4tzLFgp%t(r`-~)>%oG*=rO=mz_!oW{6tdN?Wtve!BuD zCV+wk;U0}ZwjxC15PS)g!QV!dOevH~X>i{R%7hn=qAWO5HjSa@DF;ZGOL>$}1xpI4 zh{j=8$5RP5rxZX|N)t)AW}>g9tp=-;7@!he?oJn$#ZugEMfIvgv5OSd)qyyxaCNkL zRc{9tY$|Z7YAc|L+S+~Ig)i5XH7;2y$6UrLV`zkwL9){|K1}uq1s5)g`xh_|=%X?* z)^D?Z&{NoDn>TfL>L1VFNbeD24=1uwizh)C14!T4E9r`qaV zD>qE~hv@NalAqnAx9~<7jW9kF)pn?By^3g`iCyx@_3f_mQh8E^eF~A-bG_5u1^mrY z#@WWYkgoTyMAJ`Vlw%RQIVXvZpl94sp#$cEil@Sn0O@Crs!p#{z$tvrYBe?CobUV; zH^UO5)N|;wth1?d5=rc{bTSOGIgJ^J@rajt^Jvo5ReXwH|X=v#wj$FSur_Y?<8sq3ywev+~Mwiuqvfoo_YPB<@Sv@#cVSm394|*KEB% ztG()T{lr;Ad-u-1BxfgVc}=b$@{=i$OqNEc=@rYRgC(ZAf>iU{*7aN8@|~T!A}!7O zYm2#id*SK0gydbf{Eb)g=Ef&O=3{UY>GkN3_jr z?Yekq$L*Yp*B%^-RqK1L(>7M;9~e^^m-(A0)5Mu{(LLv=)N5&)CTC3Dyunewje_iOJ|**~h-w;li+WlM~ng$$_TCD(xD+PtNrw4!^QNnMyO6{N&=|1LCW z9}jxTJ?DsVP-}S5Z5UKreq#RVt`+ZG2`~AH72dmfRnzW0Jkd1pddkXyq}-%4UmTk| z(06;L<9p{EQ%9w|=U91a)c37XTk{I~4-Z)OAi*GdR>EL1nGTxvV^?EmN&Qam8ONdm zSf?SvJfa)iDfpu?5nWP0eCZq-VioUvAN+@Gs-n;uRLoW@vK(Mmt5ePIXhoVP|MC&M zRQp>US_2}30^tzH^oa`N7Elzp)v3;GXqYRMp;FW%q~q4#wGW5j))e5@f*a}G+D*2^ zL>g|yNH0tzggCc{@#8VwCl9G!B%YE>(>}{z?Ndd4Gwho0*~P-dFZz8zwA2RRBNN6$ zFq#DP45wS1nu>OvqH(RPGt<0zzrhO!I4x1w+Kby4>zDcP z1a?CxfnCkkPs6NQBW6ttV;1anNPRS92@I)2mw*t&{V^N42b(lZyzf>G5|jf$~j1GA;ZT7`As>Wq6i>2&?%CN+2Y0hs9$NEZOd@1 zWJ5Y4Iv}_tf$YX?CX_>~?xvysmcCKGVS6}c(*CyI-c*I8rCd9Q9x7@1#jnU0*E zwJT$!V@LP!`0ujpkx$hvwrr~_iYd1}7ARXBM%j|n(FT;2>q96@(q({3U?`|K04j>h zRV59xxThBTptVWp&YKu<{!d7m+N`V^UdFcrhw~( z%!`;$VP4F9Jo6If6PTAWFJoSA;1yiAn=O6OG%0G+n%F+XGuadYh!ho*)GyHA>`+=e zTmmr>cp`Zf1fC^!Jix%Ghul*_5bfa*%s#>PLvMyi2*&@{5X5}J5aer4%rEcb@x+RG z{@fOpk!tC39^Mq;kcEBTeaIK_5*GwH|Mw`13D0F+F4&3kPo!sUXfMR2hW<9uEbNOW zvy9jd%8ytU2^+VM8$kI7JQ#v<@pe=KB7p{>|M*7S2?6mI*5#5Mlox`J4YZfsgB-v^ zLlEQ%$5|d3l1qD`4v2Rz2<>HaPzLZM3CiVSWdZTp1);tC6PEGN)#Zurvds6SXs=q7opP=%1Qsw;y9U46*hemh-^Tzn(PgPgejBB9>$6d9iZ= zD$r%3=Psi5DHVp~$w#=oND~T-KSksf0X(FF^3>{3?F9kT0X(mQEiZ_Z3-IO3J*#%I zJR#KnqPTzqc!UYU$kW6c14tQlxog^Wmhlh;p?&&cmP^1LLY^TmuK+*bxV?G?%i**E ZQjlPrT7!Bs|0%`B(QDjJJxSqo;y*NTBr*U1 literal 0 HcmV?d00001 diff --git a/fuzzing/corpus/github_367_2.heic b/fuzzing/corpus/github_367_2.heic new file mode 100644 index 0000000000000000000000000000000000000000..463fd95005ba889fa17171d5d8e2d20fccb69640 GIT binary patch literal 4914 zcmdT{Yiv}<6+U-&ZLc5L*Do-}#@BD-7i$d0ArP-^XfT3c2t*EvfbDvXuj-_#|qor;|`gRYaCKs@l~i5RZ_~1{6B!kjP4-Q9+cT=aW^I2D?4dc*H;v zkM+2DhC3tX{YMTOY7Flds{H|5k66!#p6UnW`RKR#J>Owu`aHBqkAY7-bh_H*bD4-F zxtyr|XHFz4G7gE#l~h3!P-zQPuJKn^`aKolN#20x)QIjTzb86A9FqhWtZ}QYftaHE zWTI(AKduQMT_%aD$uh4;Z4;hvt8Nz?usd4S&Nbd?WP^)|%#=z|6ivELF|ia!@svR0 zD3Ov#resP%YZ|6Go+eNRO{7ekL|K$gHIzdNTe! z3iGsgHehxVrtPIfXX{!grX>)??Nl|lMil$JsyVxfOtymV4!7p+#ym|04o&N@AV6nV zuY2jU4HYdfu25nwQ4IdZVK$1xIVC7nL3tWI47q&{<3K(t7P0=4`OE&oUU^aN&eV@j zUrp~9vA-6?3Gw&va=~01e1(#Prw_b?^gS}EUBAN1_Q$29Z~YzpdZ4eL%;tgqezKT_ z9mP7D$oxfUKTIHNa6hzQlSrSSv$AH{(nbVjyVbc4hY8+>{vdv?x>oCOtXG<+|0jGT zVMp=A^|6QRQGF>?CmSX&gaJh9?~X@r?AF%1RncCLRdOj!UCzpKWty#OCXrZk;Y@UE z2|u$m{$$I1qi*1zM01WI(BY8Zf@4Gn(KGH)MzC*5Em3kj(TPKv!|lM1!;+BIYHGuK zzWH0CaW4{iPodAx*S1yF@NiN>10L~$uHPymiWwq$uwB>h?ZukxL+5`G4R>LWG-4?m zB{Q}Vz0ciNT&MdF?%W}YH}A%LC)lL~N!NvgS$LSm{|c>O4@uHkgTy_<8g^SuftQd#i9XE+Kixb#Ke%yoK=zO4IPJv_X55rGK?p@4@)3J5SH+ak?~*+TAs^@pymr zWH~--Zd0E_3Q&u(ePQCux%$f9cQ3CRU3~ON;qjsb<)*A3SXF$v?!bFDR;FAWik98h z-tz~BZseT*{LX<`t!W@(_QtyWec9D<6aE}!np#iiTNfOX1}tr}mGQNkhfE)So1zs* zLc5p4cKx~a$@vc+<|ANs;XYx1z5shB4H@R*y~F!b>`lrJ)g=vMFP%bNtmt`y$ zd21$kYsuC0KK&Ydiu@(Ahk9Y&0>rhtz_7SC(QR^(=JtSBoVtD?f1O7Y_Gb948RJt* z?6Bw$K+#fXtHVPkronNhAT@{~0&?Bp$iR5f;#e`$qDA0)A}hs7lX(3$0lhBGpqEhg z;`gSMBC@XR3FK+fXG*YRFbhr}IeS{vo;&N8pocIdm)G@@>-)$tJaHJG{joll4ps|3 z3v!(QgkRRR%zs438OH;k8Ftrex>v#(O6}|L{6vrCtl2@%g14Vi??p_3DK&BmNI{IY z%(!HPrr;B+4Z)k8^fl34A6X2{r4J{)5Xny2gD8DC_ZbsS7CX|1(=~u|QW;~93-OwA zK11Qd-M}xQBTbGM=OgYP#-XWT_~fuv5iLk833rKz+srYpOeL+g&DdxDGJT_RRlb{@ z@#T)@qa`KDuUccwdCNB^WaQf}(ZSKVJH}_&hx#7Q|6a>3C6xd715W_ZTBz{||!r#UqIOcYIk00WNt9rBB?n{dh_X4i6u`Is&*f2gW(v z`VB0uy*_-A1aR3A#u)}KA7DJuz!eJ^XBxOtJgE;~GD0wZSaIl)^(87>Ze-l}7mhLrhV%*PmE literal 0 HcmV?d00001 diff --git a/libheif/box.cc b/libheif/box.cc index 1bf70f4b82..3c74a06b3c 100644 --- a/libheif/box.cc +++ b/libheif/box.cc @@ -2298,14 +2298,10 @@ Error Box_clap::parse(BitstreamRange& range) { //parse_full_box_header(range); - m_clean_aperture_width.numerator = range.read32(); - m_clean_aperture_width.denominator = range.read32(); - m_clean_aperture_height.numerator = range.read32(); - m_clean_aperture_height.denominator = range.read32(); - m_horizontal_offset.numerator = range.read32(); - m_horizontal_offset.denominator = range.read32(); - m_vertical_offset.numerator = range.read32(); - m_vertical_offset.denominator = range.read32(); + m_clean_aperture_width = Fraction(range.read32(), range.read32()); + m_clean_aperture_height = Fraction(range.read32(), range.read32()); + m_horizontal_offset = Fraction(range.read32(), range.read32()); + m_vertical_offset = Fraction(range.read32(), range.read32()); if (!m_clean_aperture_width.is_valid() || !m_clean_aperture_height.is_valid() || !m_horizontal_offset.is_valid() || !m_vertical_offset.is_valid()) { return Error(heif_error_Invalid_input,