Skip to content

Fix UBSAN false positive#3483

Merged
kevinbackhouse merged 1 commit intoExiv2:mainfrom
kevinbackhouse:append-zero
Feb 16, 2026
Merged

Fix UBSAN false positive#3483
kevinbackhouse merged 1 commit intoExiv2:mainfrom
kevinbackhouse:append-zero

Conversation

@kevinbackhouse
Copy link
Copy Markdown
Collaborator

@kevinbackhouse kevinbackhouse commented Feb 15, 2026

This fixes a (false positive) error from UBSAN:

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3590403533
INFO: Loaded 2 modules   (184486 inline 8-bit counters): 183894 [0x76d8651991c0, 0x76d8651c6016), 592 [0x62495a70b448, 0x62495a70b698), 
INFO: Loaded 2 PC tables (184486 PCs): 183894 [0x76d8651c6018,0x76d865494578), 592 [0x62495a70b698,0x62495a70db98), 
./bin/fuzz-read-print-write: Running 1 inputs 1 time(s) each.
Running: crash-01c9e1813f47c45ee6be5c976f16641176e51982
/home/kev/work/exiv2/src/image.cpp:651:10: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/kev/work/exiv2/src/image.cpp:651:10

It's a false positive because size is zero, so it doesn't matter that bytes is NULL. But it's easy to fix by returning early if size == 0.

@kevinbackhouse
Copy link
Copy Markdown
Collaborator Author

kevinbackhouse commented Feb 15, 2026

@mergify backport 0.28.x

@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Feb 15, 2026
edited
Loading

backport 0.28.x

✅ Backports have been created

Details

@kevinbackhouse kevinbackhouse marked this pull request as ready for review February 15, 2026 23:06
Copilot AI review requested due to automatic review settings February 15, 2026 23:06
Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a UBSAN report in Image::appendIccProfile() by avoiding calling memcpy() with a null source pointer when size == 0, which can trip nonnull-annotated libc implementations during fuzzing.

Changes:

  • Add an early return in Image::appendIccProfile() when size == 0 to prevent memcpy() from being invoked in that case.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/image.cpp
}

void Image::appendIccProfile(const uint8_t* bytes, size_t size, bool bTestValid) {
if (size == 0) {
Copy link

Copilot AI Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Early-returning on size == 0 skips the bTestValid path, so callers that rely on appendIccProfile(..., bTestValid=true) to validate the assembled ICC profile (e.g., the last JPEG chunk) will no longer run checkIccProfile(). Consider keeping the UBSAN fix while still validating: if size == 0 and bTestValid is true, call checkIccProfile() before returning (or otherwise ensure validation happens when the final chunk is empty).

Suggested change
if (size == 0) {
if (size == 0) {
if (bTestValid) {
checkIccProfile();
}

Copilot uses AI. Check for mistakes.
@kevinbackhouse kevinbackhouse merged commit f4e68fd into Exiv2:main Feb 16, 2026
132 of 140 checks passed
@kevinbackhouse kevinbackhouse deleted the append-zero branch February 16, 2026 11:13
@mergify mergify Bot mentioned this pull request Feb 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kmilos kmilos kmilos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kevinbackhouse @kmilos