diff options
Diffstat (limited to 'media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch')
| -rw-r--r-- | media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch b/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch new file mode 100644 index 000000000000..a594a2bfad13 --- /dev/null +++ b/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch @@ -0,0 +1,39 @@ +From ce4f575e106697c0e513091e95a7cd12ed6a488b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Tue, 9 Jan 2018 21:18:36 +0100
+Subject: [PATCH 1/8] Add check for DataBuf.size_ in Jp2Image::readMetadata()
+
+When parsing a subBox that is a ColorHeader, a length is extracted
+from the input file and fed directly into DataBuf() (which calls
+malloc). A crafted input file can provide arbitrarily (up to
+max(uint32_t)-8) large values and result in excessive memory
+allocation.
+
+This commit adds a check for the new size of DataBuf so that it is not
+larger than the remaining size of the file.
+
+This fixes #202 aka CVE-2018-4868
+---
+ src/jp2image.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index a308bfd9..3cebc2a8 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -272,7 +272,12 @@ namespace Exiv2
+ #endif
+
+ const long pad = 3 ; // 3 padding bytes 2 0 0
+- DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
++ const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
++ // data_length makes no sense if it is larger than the rest of the file
++ if (data_length > io_->size() - io_->tell()) {
++ throw Error(58);
++ }
++ DataBuf data(data_length);
+ io_->read(data.pData_,data.size_);
+ const long iccLength = getULong(data.pData_+pad, bigEndian);
+ // subtracting pad from data.size_ is safe:
+--
+2.17.0
|