File CVE-2017-11591.patch of Package exiv2.7392

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-11591.patch of Package exiv2.7392

From 70e15f50fa2f8ebb2bf0661923a0fb6911bcc3c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Tue, 26 Sep 2017 22:57:59 +0200
Subject: [PATCH 1/9] Added missing include for INT_MIN & INT_MAX constants

(cherry picked from commit d4e7510f7c11186bedddc071e5c6ad6ade473da9)
---
 include/exiv2/value.hpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/exiv2/value.hpp b/include/exiv2/value.hpp
index 831eab3f..cbd9e6c8 100644
--- a/include/exiv2/value.hpp
+++ b/include/exiv2/value.hpp
@@ -44,6 +44,7 @@
 #include <sstream>
 #include <memory>
 #include <cstring>
+#include <climits>
 
 // *****************************************************************************
 // namespace extensions
-- 
2.14.1

From df7f9b2829dfb47c741ddf05ddf7706213733e4b Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Tue, 26 Sep 2017 21:37:53 +0100
Subject: [PATCH 2/9] =?UTF-8?q?Fix=20https://github.com/Exiv2/exiv2/issues?=
 =?UTF-8?q?/55=20=20Thank=20You,=20Rapha=C3=ABl=20Hertzog.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit c037d7377bc7bd63acc3f240101ff44002d19027)
---
 include/exiv2/value.hpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/exiv2/value.hpp b/include/exiv2/value.hpp
index cbd9e6c8..8e1fcff6 100644
--- a/include/exiv2/value.hpp
+++ b/include/exiv2/value.hpp
@@ -1662,7 +1662,7 @@ namespace Exiv2 {
     template<>
     inline long ValueType<Rational>::toLong(long n) const
     {
-        ok_ = (value_[n].second != 0);
+        ok_ = (value_[n].second != 0 && INT_MIN < value_[n].first && value_[n].first < INT_MAX );
         if (!ok_) return 0;
         return value_[n].first / value_[n].second;
     }
-- 
2.14.1

From f2712004d89cc556af8b45cb714e2316025092a8 Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Wed, 27 Sep 2017 09:20:13 +0100
Subject: [PATCH 3/9] Fix https://github.com/Exiv2/exiv2/issues/55

(cherry picked from commit 6e3855aed7ba8bb4731fc4087ca7f9078b2f3d97)
---
 include/exiv2/value.hpp | 6 ++++--
 src/basicio.cpp         | 1 +
 src/error.cpp           | 7 ++++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/include/exiv2/value.hpp b/include/exiv2/value.hpp
index 8e1fcff6..27553f14 100644
--- a/include/exiv2/value.hpp
+++ b/include/exiv2/value.hpp
@@ -1658,11 +1658,13 @@ namespace Exiv2 {
         ok_ = true;
         return static_cast<long>(value_[n]);
     }
+// #55 crash when value_[n].first == LONG_MIN
+#define LARGE_INT 1000000
     // Specialization for rational
     template<>
     inline long ValueType<Rational>::toLong(long n) const
     {
-        ok_ = (value_[n].second != 0 && INT_MIN < value_[n].first && value_[n].first < INT_MAX );
+        ok_ = (value_[n].second != 0 && -LARGE_INT < value_[n].first && value_[n].first < LARGE_INT);
         if (!ok_) return 0;
         return value_[n].first / value_[n].second;
     }
@@ -1670,7 +1672,7 @@ namespace Exiv2 {
     template<>
     inline long ValueType<URational>::toLong(long n) const
     {
-        ok_ = (value_[n].second != 0);
+        ok_ = (value_[n].second != 0 && value_[n].first < LARGE_INT);
         if (!ok_) return 0;
         return value_[n].first / value_[n].second;
     }
diff --git a/src/basicio.cpp b/src/basicio.cpp
index a829690c..a6bfa11d 100644
--- a/src/basicio.cpp
+++ b/src/basicio.cpp
@@ -1035,6 +1035,7 @@ namespace Exiv2 {
     DataBuf FileIo::read(long rcount)
     {
         assert(p_->fp_ != 0);
+        if ( (size_t) rcount > size() ) throw Error(57);
         DataBuf buf(rcount);
         long readCount = read(buf.pData_, buf.size_);
         buf.size_ = readCount;
diff --git a/src/error.cpp b/src/error.cpp
index b7472b78..dcdde2ed 100644
--- a/src/error.cpp
+++ b/src/error.cpp
@@ -105,7 +105,12 @@ namespace {
         { 49, N_("TIFF directory %1 has too many entries") }, // %1=TIFF directory name
         { 50, N_("Multiple TIFF array element tags %1 in one directory") }, // %1=tag number
         { 51, N_("TIFF array element tag %1 has wrong type") }, // %1=tag number
-        { 52, N_("%1 has invalid XMP value type `%2'") } // %1=key, %2=value type
+        { 52, N_("%1 has invalid XMP value type `%2'") }, // %1=key, %2=value type
+        { 53, N_("Not a valid ICC Profile") },
+        { 54, N_("Not valid XMP") },
+        { 55, N_("tiff directory length is too large") },
+        { 56, N_("invalid type value detected in Image::printIFDStructure") },
+        { 57, N_("invalid memory allocation request") },
     };
 
 }
-- 
2.14.1

Places

File CVE-2017-11591.patch of Package exiv2.7392

Places