Fix the JPEG EXIF reader to deal with some broken/corrupt files

We parse the EXIF header in order to get the proper orientation, so let's be a bit more careful in what we accept. This patch adds better handling for reading past the end of the stream, plus it limits the number of IFDs read (to avoid processing too much data) and deals with a pathological case of the EXIF file format: EXIF (due to its TIFF origins) permits the offset to the next IFD to be backwards in the file, which means it could result in a loop or pointing to plain corrupt data. We disallow any backwards pointers, since it seems that's what other decoders do (libexif, for example). Change-Id: Iaeecaffe26af4535b416fffd1489332db92e3888 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Thiago Macieira <thiago.macieira@intel.com> 2016-11-21 15:17:03 -0800
committer: Thiago Macieira <thiago.macieira@intel.com> 2016-11-30 18:03:07 +0000
commit: 02150649f95b8f46f826e6e002be3fa0b6d009bc (patch)
tree: 670e2a17963ce60e263244a380262632904829c3 /tests
parent: 2cfcd8a63e03783b76a36a9f96ff9c754cf06294 (diff)
5 files changed, 14 insertions, 3 deletions
diff --git a/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_back_pointers.jpg b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_back_pointers.jpg
new file mode 100644
index 0000000000..164d3080a3
--- /dev/null
+++ b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_back_pointers.jpg
diff --git a/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_past_end.jpg b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_past_end.jpg
new file mode 100644
index 0000000000..7e2451e6f9
--- /dev/null
+++ b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_past_end.jpg
diff --git a/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_ifds.jpg b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_ifds.jpg
new file mode 100644
index 0000000000..52c6a93f08
--- /dev/null
+++ b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_ifds.jpg
diff --git a/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_tags.jpg b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_tags.jpg
new file mode 100644
index 0000000000..6a080aada7
--- /dev/null
+++ b/tests/auto/gui/image/qimage/images/jpeg_exif_invalid_data_too_many_tags.jpg
diff --git a/tests/auto/gui/image/qimage/tst_qimage.cpp b/tests/auto/gui/image/qimage/tst_qimage.cpp
index 6f088bea24..28908bf230 100644
--- a/tests/auto/gui/image/qimage/tst_qimage.cpp
+++ b/tests/auto/gui/image/qimage/tst_qimage.cpp
@@ -187,7 +187,8 @@ private slots:
     void exifOrientation();
 
     void exif_QTBUG45865();
-    void exif_invalid_data_QTBUG46870();
+    void exifInvalidData_data();
+    void exifInvalidData();
 
     void cleanupFunctions();
 
@@ -2981,10 +2982,20 @@ void tst_QImage::exif_QTBUG45865()
     QCOMPARE(image.size(), QSize(5, 8));
 }
 
-void tst_QImage::exif_invalid_data_QTBUG46870()
+void tst_QImage::exifInvalidData_data()
+{
+    QTest::addColumn<bool>("$never used");
+    QTest::newRow("QTBUG-46870");
+    QTest::newRow("back_pointers");
+    QTest::newRow("past_end");
+    QTest::newRow("too_many_ifds");
+    QTest::newRow("too_many_tags");
+}
+
+void tst_QImage::exifInvalidData()
 {
     QImage image;
-    QVERIFY(image.load(m_prefix + "jpeg_exif_invalid_data_QTBUG-46870.jpg"));
+    QVERIFY(image.load(m_prefix + "jpeg_exif_invalid_data_" + QTest::currentDataTag() + ".jpg"));
     QVERIFY(!image.isNull());
 }
author	Thiago Macieira <thiago.macieira@intel.com>	2016-11-21 15:17:03 -0800
committer	Thiago Macieira <thiago.macieira@intel.com>	2016-11-30 18:03:07 +0000
commit	02150649f95b8f46f826e6e002be3fa0b6d009bc (patch)
tree	670e2a17963ce60e263244a380262632904829c3 /tests
parent	2cfcd8a63e03783b76a36a9f96ff9c754cf06294 (diff)