Blame SOURCES/exiv2-CVE-2021-37619.patch

aa9105
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
aa9105
From: Kevin Backhouse <kevinbackhouse@github.com>
aa9105
Date: Wed, 30 Jun 2021 16:47:50 +0100
aa9105
Subject: [PATCH 2/2] Fix incorrect loop condition.
aa9105
aa9105
---
aa9105
 src/jp2image.cpp                                      |  6 ++++--
aa9105
 .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
aa9105
 2 files changed, 9 insertions(+), 8 deletions(-)
aa9105
aa9105
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
aa9105
index 2cd0a89..58ad5c6 100644
aa9105
--- a/src/jp2image.cpp
aa9105
+++ b/src/jp2image.cpp
aa9105
@@ -619,11 +619,13 @@ namespace Exiv2
aa9105
         char*         p      = (char*) boxBuf.pData_;
aa9105
         bool          bWroteColor = false ;
aa9105
aa9105
-        while ( count < length || !bWroteColor ) {
aa9105
+        while ( count < length && !bWroteColor ) {
aa9105
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
aa9105
aa9105
             // copy data.  pointer could be into a memory mapped file which we will decode!
aa9105
-            Jp2BoxHeader   subBox = *pSubBox ;
aa9105
+            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
aa9105
+            Jp2BoxHeader   subBox;
aa9105
+            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
aa9105
             Jp2BoxHeader   newBox =  subBox;
aa9105
aa9105
             if ( count < length ) {