c2pa tool version 0.6.2 failed to validate jpg file with APP marker segment with length = 2 (i.e. 0 data segment)

[pohhsu]

running latest c2patool (0.6.2) on this jpg image

D:\test\c2patool\0.6.2\c2patool\c2patool.exe -d ProvenanceOutput-Markers.jpg

failed with

{
  "code": "assertion.dataHash.mismatch",
  "url": "self#jumbf=/c2pa/contoso:urn:uuid:FA0E000D-FA0E-000D-FA0E-000DFA0E000D/c2pa.assertions/c2pa.hash.boxes",
  "explanation": "asset hash error: hash verification( Box hash name not found )"
}

This is image is attached.

Note that this is okay with 0.6.0.

Debugged into this a bit, it seems that the latest c2patool integrated jfifdump library (commit 9023ce53a52ee4bccd62c8f634b27c95b6257cbb in c2pa-rs on Oct 4).

The library will error out when the length of a marker is '2' (i.e. corresponds data segment is of length 0), see code here

https://github.com/vstroebel/jfifdump/blob/main/jfifdump/src/reader.rs line 64

    fn read_length(&mut self) -> Result<usize, JfifError> {
        let length = self.read_u16()? as usize;

        if length <= 2 {
            return Err(JfifError::InvalidMarkerLength(length));
        }

        Ok(length - 2)
    }

But from JPEG spec, length = 2 is legal for APPn box (see B.2.4.6 of ISO+IEC+10918-1-1994.pdf), so it seems that jfifdump should be modified to use

     if length < 2 { ...

[hackerfactor]

Very easy to replicate. You are correct that it fails to validate.

[dkozma]

We've opened up the following issue in the jfifdump repo: https://github.com/vstroebel/jfifdump/issues/6. Will look into opening a PR if that issue fails to get traction.

[mauricefisher64]

Issue is fixed in latest c2p-rs main branch. I will update this issue when we recreate a new c2patool release.

[mauricefisher64]

Fixed 0.9.6