Blame SOURCES/exiv2-CVE-2017-14860.patch

3f58c5
From 6ede8aa1975177705450abb816163f0b8d33a597 Mon Sep 17 00:00:00 2001
3f58c5
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
3f58c5
Date: Fri, 6 Oct 2017 23:09:08 +0200
3f58c5
Subject: Fix for CVE-2017-14860
3f58c5
3f58c5
A heap buffer overflow could occur in memcpy when icc.size_ is larger
3f58c5
than data.size_ - pad, as then memcpy would read out of bounds of data.
3f58c5
3f58c5
This commit adds a sanity check to iccLength (= icc.size_): if it is
3f58c5
larger than data.size_ - pad (i.e. an overflow would be caused) an
3f58c5
exception is thrown.
3f58c5
3f58c5
This fixes #71.
3f58c5
3f58c5
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
3f58c5
index 1892fd43..09d023e2 100644
3f58c5
--- a/src/jp2image.cpp
3f58c5
+++ b/src/jp2image.cpp
3f58c5
@@ -269,10 +269,15 @@ namespace Exiv2
3f58c5
                             std::cout << "Exiv2::Jp2Image::readMetadata: "
3f58c5
                                      << "Color data found" << std::endl;
3f58c5
 #endif
3f58c5
-                            long pad = 3 ; // 3 padding bytes 2 0 0
3f58c5
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
3f58c5
                             DataBuf data(subBox.length+8);
3f58c5
                             io_->read(data.pData_,data.size_);
3f58c5
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
3f58c5
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
3f58c5
+                            // subtracting pad from data.size_ is safe:
3f58c5
+                            // size_ is at least 8 and pad = 3
3f58c5
+                            if (iccLength > data.size_ - pad) {
3f58c5
+                                throw Error(58);
3f58c5
+			    }
3f58c5
                             DataBuf icc(iccLength);
3f58c5
                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
3f58c5
 #ifdef DEBUG