rpms / exiv2

Clone
Source Code
GIT

Blame exiv2-CVE-2017-14860.patch

el4 el5 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   ca955494e2dcb444e1cae671019bde4efbbb203d
  2.   exiv2-CVE-2017-14860.patch
Blob History Raw
b326000 
From 6ede8aa1975177705450abb816163f0b8d33a597 Mon Sep 17 00:00:00 2001
b326000 
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
b326000 
Date: Fri, 6 Oct 2017 23:09:08 +0200
b326000 
Subject: Fix for CVE-2017-14860
b326000
b326000 
A heap buffer overflow could occur in memcpy when icc.size_ is larger
b326000 
than data.size_ - pad, as then memcpy would read out of bounds of data.
b326000
b326000 
This commit adds a sanity check to iccLength (= icc.size_): if it is
b326000 
larger than data.size_ - pad (i.e. an overflow would be caused) an
b326000 
exception is thrown.
b326000
b326000 
This fixes #71.
b326000
b326000 
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
b326000 
index 1892fd43..09d023e2 100644
b326000 
--- a/src/jp2image.cpp
b326000 
+++ b/src/jp2image.cpp
b326000 
@@ -269,10 +269,15 @@ namespace Exiv2
b326000 
                             std::cout << "Exiv2::Jp2Image::readMetadata: "
b326000 
                                      << "Color data found" << std::endl;
b326000 
 #endif
b326000 
-                            long pad = 3 ; // 3 padding bytes 2 0 0
b326000 
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
b326000 
                             DataBuf data(subBox.length+8);
b326000 
                             io_->read(data.pData_,data.size_);
b326000 
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
b326000 
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
b326000 
+                            // subtracting pad from data.size_ is safe:
b326000 
+                            // size_ is at least 8 and pad = 3
b326000 
+                            if (iccLength > data.size_ - pad) {
b326000 
+                                throw Error(58);
b326000 
+			    }
b326000 
                             DataBuf icc(iccLength);
b326000 
                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
b326000 
 #ifdef DEBUG
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.