File CVE-2020-18899.patch of Package exiv2.30966

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2020-18899.patch of Package exiv2.30966

From 051b5d9df1f4669117937b7a40104404cc252993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Wed, 20 Mar 2019 22:50:14 +0100
Subject: [PATCH] Fix #742 by detecting incorrect subBox size

(cherry picked from commit 1bdd3eab5ebdde324dbfecc3fb6d6495b32d2e4d)
---
 src/jp2image.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: exiv2-0.26/src/jp2image.cpp
===================================================================
--- exiv2-0.26.orig/src/jp2image.cpp
+++ exiv2-0.26/src/jp2image.cpp
@@ -175,6 +175,8 @@ namespace Exiv2
         throw(Error(32, "Image comment", "JP2"));
     } // Jp2Image::setComment
 
+    const size_t boxHSize = sizeof(Jp2BoxHeader);
+
     static void lf(std::ostream& out,bool& bLF)
     {
         if ( bLF ) {
@@ -506,6 +508,10 @@ namespace Exiv2
                             subBox.length = getLong((byte*)&subBox.length, bigEndian);
                             subBox.type   = getLong((byte*)&subBox.type, bigEndian);
 
+                            if (subBox.length < boxHSize || subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
+
                             DataBuf data(subBox.length-sizeof(box));
                             io_->read(data.pData_,data.size_);
                             if ( bPrint ) {

Places

File CVE-2020-18899.patch of Package exiv2.30966

Places