File CVE-2017-14865-14862-14859.patch of Package exiv2.7392

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-14865-14862-14859.patch of Package exiv2.7392

From 30269d3028e8c383caf5930b18aa9fbea0e45f1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Oct 2017 23:08:01 +0200
Subject: [PATCH 5/9] Added new error message to warn about corrupted metadata

(cherry picked from commit a2f25c9a63cccf3ecb17a23747e5d7d20982075a)
---
 src/error.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/error.cpp b/src/error.cpp
index dcdde2ed..c73bf524 100644
--- a/src/error.cpp
+++ b/src/error.cpp
@@ -111,6 +111,7 @@ namespace {
         { 55, N_("tiff directory length is too large") },
         { 56, N_("invalid type value detected in Image::printIFDStructure") },
         { 57, N_("invalid memory allocation request") },
+        { 58, N_("corrupted image metadata") },
     };
 
 }
-- 
2.14.1

From c30ababe6c9b7422d05b1efe372ea9b0b022dd23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Sat, 7 Oct 2017 23:07:26 +0200
Subject: [PATCH 6/9] Added arithmetic operation overflow error

(cherry picked from commit da67c16f3d8f8431ae5c732126499f74ccca6a81)
---
 src/error.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/error.cpp b/src/error.cpp
index c73bf524..f0daa533 100644
--- a/src/error.cpp
+++ b/src/error.cpp
@@ -112,6 +112,7 @@ namespace {
         { 56, N_("invalid type value detected in Image::printIFDStructure") },
         { 57, N_("invalid memory allocation request") },
         { 58, N_("corrupted image metadata") },
+        { 59, N_("Arithmetic operation overflow") },
     };
 
 }
-- 
2.14.1

From fd85c1617c79775dd9f47bc6b5c50f39feb8d61b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Sat, 7 Oct 2017 23:08:36 +0200
Subject: [PATCH 7/9] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859

The invalid memory dereference in
Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
is caused further up the call-stack, by
v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
passing an invalid pData pointer (pData points outside of the Tiff
file). pData can be set out of bounds in the (size > 4) branch where
baseOffset() and offset are added to pData_ without checking whether
the result is still in the file. As offset comes from an untrusted
source, an attacker can craft an arbitrarily large offset into the
file.

This commit adds a check into the problematic branch, whether the
result of the addition would be out of bounds of the Tiff
file. Furthermore the whole operation is checked for possible
overflows.

(cherry picked from commit d4e4288d839d0d9546a05986771f8738c382060c)
---
 src/tiffvisitor.cpp | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
index a15350ef..2917c9bb 100644
--- a/src/tiffvisitor.cpp
+++ b/src/tiffvisitor.cpp
@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include <iostream>
 #include <iomanip>
 #include <cassert>
+#include <limits>
 
 // *****************************************************************************
 namespace {
@@ -1509,7 +1510,19 @@ namespace Exiv2 {
                 size = 0;
         }
         if (size > 4) {
+            // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
+            // as offset can be arbitrarily large
+            if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
+             || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
+            {
+                throw Error(59);
+            }
+            if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
+                throw Error(58);
+            }
             pData = const_cast<byte*>(pData_) + baseOffset() + offset;
+
+	    // check for size being invalid
             if (size > static_cast<uint32_t>(pLast_ - pData)) {
 #ifndef SUPPRESS_WARNINGS
                 EXV_ERROR << "Upper boundary of data for "
-- 
2.14.1

Places

File CVE-2017-14865-14862-14859.patch of Package exiv2.7392

Places