rpms / exiv2

Clone
Source Code
GIT

Blame SOURCES/exiv2-CVE-2021-29470.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   e4b251947d653200a60e1dcf3ea629758abf9c5c
  2.   SOURCES
  3.   exiv2-CVE-2021-29470.patch
Blob History Raw
8ca4c1 
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
8ca4c1 
index 0de088d..6310c08 100644
8ca4c1 
--- a/src/jp2image.cpp
8ca4c1 
+++ b/src/jp2image.cpp
8ca4c1 
@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
8ca4c1 
         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
8ca4c1 
         int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
8ca4c1 
         int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
8ca4c1 
+        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
8ca4c1 
         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
8ca4c1 
         int32_t       length = getLong((byte*)&pBox->length, bigEndian);
8ca4c1 
+        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
8ca4c1 
         int32_t       count  = sizeof (Jp2BoxHeader);
8ca4c1 
         char*         p      = (char*) boxBuf.pData_;
8ca4c1 
         bool          bWroteColor = false ;
8ca4c1
8ca4c1 
         while ( count < length || !bWroteColor ) {
8ca4c1 
+            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
8ca4c1 
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
8ca4c1
8ca4c1 
             // copy data.  pointer could be into a memory mapped file which we will decode!

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation