Skip to content

Fix issue 9324#9325

Open
kevinbackhouse wants to merge 3 commits into
Exiv2:0.28.xfrom
kevinbackhouse:fix-issue-9324
Open

Fix issue 9324#9325
kevinbackhouse wants to merge 3 commits into
Exiv2:0.28.xfrom
kevinbackhouse:fix-issue-9324

Conversation

@kevinbackhouse

Copy link
Copy Markdown
Collaborator

fixes: #9324

@kevinbackhouse kevinbackhouse added this to the v0.28.9 milestone Jun 7, 2026
@kevinbackhouse kevinbackhouse added bug forward-to-main Forward changes in a 0.28.x PR to main with Mergify labels Jun 7, 2026
@kevinbackhouse kevinbackhouse linked an issue Jun 28, 2026 that may be closed by this pull request
Copilot AI review requested due to automatic review settings June 28, 2026 19:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes #9324 by hardening CRW packIfdId size/offset computation to avoid a heap buffer overflow caused by uint16_t truncation, and adds a regression test + fixtures to ensure the modify-command path fails safely with a corrupted-metadata error.

Changes:

  • Prevent uint16_t truncation in packIfdId by computing in size_t and enforcing <= uint16_t max before narrowing.
  • Add a system test covering the exiv2 -m modify-command reproduction for issue #9324.
  • Add new test fixtures (.crw PoC and a command file) and include the PoC in the all-files regression set.
Show a summary per file
File Description
tests/regression_tests/test_regression_allfiles.py Adds the new PoC CRW file to the “valid files” regression corpus.
tests/bugfixes/github/test_issue_9324.py New system test validating safe failure behavior for the reported overflow scenario.
test/data/issue_9324_poc.txt New modify-command file crafted to reproduce the original overflow condition.
src/crwimage_int.cpp Fixes the overflow/truncation bug in packIfdId by using checked arithmetic and bounds enforcement.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/5 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment on lines +9 to +12
filename = "$data_path/issue_9324_poc.crw"
command_filename = "$data_path/issue_9324_poc.txt"
commands = [f"$exiv2 -m $command_filename $filename"]
retval = [1]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug forward-to-main Forward changes in a 0.28.x PR to main with Mergify

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Heap buffer overflow in packIfdId via uint16_t truncation

2 participants