File CVE-2019-20421.patch of Package exiv2.30966

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-20421.patch of Package exiv2.30966

From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Tue, 1 Oct 2019 17:39:44 +0100
Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop

---
 src/jp2image.cpp                             |  25 +++++++++++++++----
 test/data/Jp2Image_readMetadata_loop.poc     | Bin 0 -> 738 bytes
 tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
 tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
 4 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
 create mode 100644 tests/bugfixes/github/test_issue_1011.py

Index: exiv2-0.26/src/jp2image.cpp
===================================================================
--- exiv2-0.26.orig/src/jp2image.cpp
+++ exiv2-0.26/src/jp2image.cpp
@@ -19,11 +19,6 @@
  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
  */
 
-/*
-  File:      jp2image.cpp
-  Version:   $Rev$
-*/
-
 // *****************************************************************************
 #include "rcsid_int.hpp"
 EXIV2_RCSID("@(#) $Id$")
@@ -207,6 +202,16 @@ namespace Exiv2
         return result;
     }
 
+static void boxes_check(size_t b,size_t m)
+{
+    if ( b > m ) {
+#ifdef EXIV2_DEBUG_MESSAGES
+        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+        throw Error(kerCorruptedMetadata);
+    }
+}
+
     void Jp2Image::readMetadata()
     {
 #ifdef DEBUG
@@ -229,9 +234,12 @@ namespace Exiv2
         Jp2BoxHeader      subBox    = {0,0};
         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+        size_t            boxes     = 0 ;
+        size_t            boxem     = 1000 ; // boxes max
 
         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
         {
+            boxes_check(boxes++,boxem );
             position   = io_->tell();
             box.length = getLong((byte*)&box.length, bigEndian);
             box.type   = getLong((byte*)&box.type, bigEndian);
@@ -261,8 +269,12 @@ namespace Exiv2
 
                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
                     {
+                        boxes_check(boxes++, boxem);
                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
+                        if (subBox.length > io_->size() ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
 #ifdef DEBUG
                         std::cout << "Exiv2::Jp2Image::readMetadata: "
                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
@@ -318,7 +330,9 @@ namespace Exiv2
                         }
 
                         io_->seek(restore,BasicIo::beg);
-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
+                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
                         restore = io_->tell();
                     }
                     break;

Places

File CVE-2019-20421.patch of Package exiv2.30966

Places