rpms / exiv2

Clone
Source Code
GIT

Blame SOURCES/exiv2-CVE-2021-29457.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   e4b251947d653200a60e1dcf3ea629758abf9c5c
  2.   SOURCES
  3.   exiv2-CVE-2021-29457.patch
Blob History Raw
a52745 
From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
a52745 
From: Pydera <pydera@mailbox.org>
a52745 
Date: Thu, 8 Apr 2021 17:36:16 +0200
a52745 
Subject: [PATCH] Fix out of buffer access in #1529
a52745
a52745 
---
a52745 
 src/jp2image.cpp | 5 +++--
a52745 
 1 file changed, 3 insertions(+), 2 deletions(-)
a52745
a52745 
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
a52745 
index 88ab9b2d6..12025f966 100644
a52745 
--- a/src/jp2image.cpp
a52745 
+++ b/src/jp2image.cpp
a52745 
@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
a52745 
 #endif
a52745 
                 box.length = (uint32_t) (io_->size() - io_->tell() + 8);
a52745 
             }
a52745 
-            if (box.length == 1)
a52745 
+            if (box.length < 8)
a52745 
             {
a52745 
-                // FIXME. Special case. the real box size is given in another place.
a52745 
+                // box is broken, so there is nothing we can do here
a52745 
+                throw Error(kerCorruptedMetadata);
a52745 
             }
a52745
a52745 
             // Read whole box : Box header + Box data (not fixed size - can be null).

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation