File CVE-2018-17581.patch of Package exiv2-0_26.26888

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-17581.patch of Package exiv2-0_26.26888

From b3d077dcaefb6747fff8204490f33eba5a144edb Mon Sep 17 00:00:00 2001
From: Robin Mills <robin@clanmills.com>
Date: Sat, 13 Oct 2018 11:38:56 +0200
Subject: [PATCH] Fix #460 by adding more checks in
 CiffDirectory::readDirectory

---
 src/crwimage_int.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Index: exiv2-0.26/src/crwimage.cpp
===================================================================
--- exiv2-0.26.orig/src/crwimage.cpp
+++ exiv2-0.26/src/crwimage.cpp
@@ -455,14 +455,19 @@ namespace Exiv2 {
                                       uint32_t    size,
                                       ByteOrder   byteOrder)
     {
+        if (size < 4)
+            throw Error(kerCorruptedMetadata);
         uint32_t o = getULong(pData + size - 4, byteOrder);
-        if (size < 2 || o > size-2) throw Error(33);
+        if ( o+2 > size )
+            throw Error(kerCorruptedMetadata);
         uint16_t count = getUShort(pData + o, byteOrder);
 #ifdef DEBUG
         std::cout << "Directory at offset " << std::dec << o
                   <<", " << count << " entries \n";
 #endif
         o += 2;
+        if ( (o + (count * 10)) > size )
+            throw Error(kerCorruptedMetadata);
         for (uint16_t i = 0; i < count; ++i) {
             if (o + 10 > size) throw Error(33);
             uint16_t tag = getUShort(pData + o, byteOrder);

Places

File CVE-2018-17581.patch of Package exiv2-0_26.26888

Places