File CVE-2021-29470.patch of Package exiv2-0_26

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-29470.patch of Package exiv2-0_26

From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 21 Apr 2021 12:06:04 +0100
Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header

---
 src/jp2image.cpp | 3 +++
 1 file changed, 3 insertions(+)

Index: exiv2-0.26/src/jp2image.cpp
===================================================================
--- exiv2-0.26.orig/src/jp2image.cpp
+++ exiv2-0.26/src/jp2image.cpp
@@ -630,13 +630,16 @@ namespace Exiv2
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
         int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
         int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
         int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
         int32_t       count  = sizeof (Jp2BoxHeader);
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;
 
         while ( count < length && !bWroteColor ) {
+            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
 
             // copy data.  pointer could be into a memory mapped file which we will decode!

Places

File CVE-2021-29470.patch of Package exiv2-0_26

Places