2.4.x: Bug 100397 - Fix crash on malformed JPEG file

- Check the buffer doesn't overrun for the TIFF tag
- Fix a use-after-free in exception handling
- Fix two invalid memcpy() on overlapping memory

3 files changed, 15 insertions, 5 deletions

diff --git a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
index 5eaf4bf..33d4673 100644
--- a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
+++ b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp
@@ -233,7 +233,7 @@ static XMP_Uns32 GatherInt ( const char * strPtr, size_t count )
 
 static size_t TrimTrailingSpaces ( char * firstChar, size_t origLen )
 {
-	if ( origLen == 0 ) return 0;
+	if ( !firstChar || origLen == 0 ) return 0;
 
 	char * lastChar  = firstChar + origLen - 1;
 	if ( (*lastChar != ' ') && (*lastChar != 0) ) return origLen;	// Nothing to do.
diff --git a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
index c1a0d44..5775b8a 100644
--- a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
+++ b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp
@@ -70,7 +70,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD )
 		} else if ( thisTag == prevTag ) {
 
 			// Duplicate tag, keep the 2nd copy, move the tail of the array up, prevTag is unchanged.
-			memcpy ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) );	// AUDIT: Safe, moving tail forward, i >= 1.
+			memmove ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // may overlap -- Hub
 			--tagCount;
 			--i; // ! Don't move forward in the array, we've moved the unseen part up.
 
@@ -86,7 +86,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD )
 
 				// Out of order duplicate, move it to position j, move the tail of the array up.
 				ifdEntries[j] = ifdEntries[i];
-				memcpy ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) );	// AUDIT: Safe, moving tail forward, i >= 1.
+				memmove ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) );	// may overlap -- Hub
 				--tagCount;
 				--i; // ! Don't move forward in the array, we've moved the unseen part up.
 
@@ -232,7 +232,11 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con
 		info->dataLen = thisBytes;
 
 		info->dataPtr = this->GetDataPtr ( thisTag );
-
+		// Here we know that if it is NULL, it is wrong. -- Hub
+		// GetDataPtr will return NULL in case of overflow.
+		if (info->dataPtr == NULL) {
+			return false;
+		}
 	}
 
 	return true;
diff --git a/XMPFiles/source/FormatSupport/TIFF_Support.hpp b/XMPFiles/source/FormatSupport/TIFF_Support.hpp
index 3914809..f82bbc2 100644
--- a/XMPFiles/source/FormatSupport/TIFF_Support.hpp
+++ b/XMPFiles/source/FormatSupport/TIFF_Support.hpp
@@ -790,7 +790,13 @@ private:
 		{ if ( GetUns32AsIs(&tifdEntry->bytes) <= 4 ) {
 		  	return &tifdEntry->dataOrPos;
 		  } else {
-		  	return (this->tiffStream + GetUns32AsIs(&tifdEntry->dataOrPos));
+			XMP_Uns32 pos = GetUns32AsIs(&tifdEntry->dataOrPos);
+			if (pos + GetUns32AsIs (&tifdEntry->bytes) > this->tiffLength) {
+				// Invalid file.
+				// The data is past the length of the TIFF.
+				return NULL;
+			}
+			return (this->tiffStream + pos);
 		  }
 		}