Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
exiv2.30966
CVE-2020-18831.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-18831.patch of Package exiv2.30966
From 20a13f00e2db24c58ee326e4c89a56469718b30e Mon Sep 17 00:00:00 2001 From: Kevin Backhouse <kev@semmle.com> Date: Thu, 16 May 2019 13:22:53 +0100 Subject: [PATCH] Add better bounds checking in PngImage::printStructure(). --- src/pngimage.cpp | 13 +++++++--- Index: exiv2-0.26/src/pngimage.cpp =================================================================== --- exiv2-0.26.orig/src/pngimage.cpp +++ exiv2-0.26/src/pngimage.cpp @@ -251,7 +251,7 @@ namespace Exiv2 { if (bufRead != cheaderBuf.size_) throw Error(20); // Decode chunk data length. - uint32_t dataOffset = Exiv2::getULong(cheaderBuf.pData_, Exiv2::bigEndian); + const uint32_t dataOffset = Exiv2::getULong(cheaderBuf.pData_, Exiv2::bigEndian); for (int i = 4; i < 8; i++) { chType[i-4]=cheaderBuf.pData_[i]; } @@ -266,7 +266,8 @@ namespace Exiv2 { } DataBuf buff(dataOffset); - io_->read(buff.pData_,dataOffset); + bufRead = io_->read(buff.pData_,dataOffset); + enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData); io_->seek(restore, BasicIo::beg); // format output @@ -279,7 +280,8 @@ namespace Exiv2 { if ( bPrint ) { io_->seek(dataOffset, BasicIo::cur);// jump to checksum byte checksum[4]; - io_->read(checksum,4); + bufRead = io_->read(checksum,4); + enforce(bufRead == 4, kerFailedToReadImageData); io_->seek(restore, BasicIo::beg) ;// restore file pointer out << Internal::stringFormat("%8d | %-5s |%8d | " @@ -310,9 +312,12 @@ namespace Exiv2 { DataBuf dataBuf; byte* data = new byte[dataOffset+1]; data[dataOffset] = 0; - io_->read(data,dataOffset); + bufRead = io_->read(data,dataOffset); + enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData); io_->seek(restore, BasicIo::beg); uint32_t name_l = (uint32_t) std::strlen((const char*)data)+1; // leading string length + enforce(name_l <= dataOffset, kerCorruptedMetadata); + uint32_t start = name_l; bool bLF = false;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor