rpms / exiv2

Clone
Source Code
GIT

Blame SOURCES/exiv2-CVE-2021-37618.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   7e7e1a028616ce4f89fcfbb5b6facb60035ad49c
  2.   SOURCES
  3.   exiv2-CVE-2021-37618.patch
Blob History Raw
7e7e1a 
From f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Mon Sep 17 00:00:00 2001
7e7e1a 
From: Kevin Backhouse <kevinbackhouse@github.com>
7e7e1a 
Date: Mon, 5 Jul 2021 10:39:08 +0100
7e7e1a 
Subject: [PATCH 1/2] Regression test for
7e7e1a 
 https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
7e7e1a
7e7e1a 
---
7e7e1a 
 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2   | Bin 0 -> 32768 bytes
7e7e1a 
 .../github/test_issue_ghsa_583f_w9pm_99r2.py  |  18 ++++++++++++++++++
7e7e1a 
 2 files changed, 18 insertions(+)
7e7e1a 
 create mode 100644 test/data/issue_ghsa_583f_w9pm_99r2_poc.jp2
7e7e1a 
 create mode 100644 tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
7e7e1a
7e7e1a 
diff --git a/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
7e7e1a 
new file mode 100644
7e7e1a 
index 000000000..808916aee
7e7e1a 
--- /dev/null
7e7e1a 
+++ b/tests/bugfixes/github/test_issue_ghsa_583f_w9pm_99r2.py
7e7e1a 
@@ -0,0 +1,18 @@
7e7e1a 
+# -*- coding: utf-8 -*-
7e7e1a 
+
7e7e1a 
+from system_tests import CaseMeta, path, check_no_ASAN_UBSAN_errors
7e7e1a 
+
7e7e1a 
+class Jp2ImagePrintStructureICC(metaclass=CaseMeta):
7e7e1a 
+    """
7e7e1a 
+    Regression test for the bug described in:
7e7e1a 
+    https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2
7e7e1a 
+    """
7e7e1a 
+    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-583f-w9pm-99r2"
7e7e1a 
+
7e7e1a 
+    filename = path("$data_path/issue_ghsa_583f_w9pm_99r2_poc.jp2")
7e7e1a 
+    commands = ["$exiv2 -p C $filename"]
7e7e1a 
+    stdout = [""]
7e7e1a 
+    stderr = ["""Exiv2 exception in print action for file $filename:
7e7e1a 
+$kerCorruptedMetadata
7e7e1a 
+"""]
7e7e1a 
+    retval = [1]
7e7e1a
7e7e1a 
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
7e7e1a 
From: Kevin Backhouse <kevinbackhouse@github.com>
7e7e1a 
Date: Mon, 5 Jul 2021 10:40:03 +0100
7e7e1a 
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
7e7e1a
7e7e1a 
---
7e7e1a 
 src/jp2image.cpp | 2 ++
7e7e1a 
 1 file changed, 2 insertions(+)
7e7e1a
7e7e1a 
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
7e7e1a 
index 3bf356629..2d6dc2118 100644
7e7e1a 
--- a/src/jp2image.cpp
7e7e1a 
+++ b/src/jp2image.cpp
7e7e1a 
@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
7e7e1a
7e7e1a 
                             if (subBox.type == kJp2BoxTypeColorHeader) {
7e7e1a 
                                 long pad = 3;  // don't know why there are 3 padding bytes
7e7e1a 
+                                enforce(data.size_ >= pad, kerCorruptedMetadata);
7e7e1a 
                                 if (bPrint) {
7e7e1a 
                                     out << " | pad:";
7e7e1a 
                                     for (int i = 0; i < 3; i++)
7e7e1a 
@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
7e7e1a 
                                 if (bPrint) {
7e7e1a 
                                     out << " | iccLength:" << iccLength;
7e7e1a 
                                 }
7e7e1a 
+                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
7e7e1a 
                                 if (bICC) {
7e7e1a 
                                     out.write((const char*)data.pData_ + pad, iccLength);
7e7e1a 
                                 }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation