27 lines
1.1 KiB
Diff
27 lines
1.1 KiB
Diff
|
From c03f73268f65c73f9d3d7b670f13e48e92692750 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
|
||
|
|
Date: Fri, 18 Sep 2020 14:40:36 +0800
|
||
|
|
Subject: [PATCH] Prevent SIGABRT on excessive subBox length in jp2image.cpp
|
||
|
|
|
||
|
|
This fixes CVE-2018-9145
|
||
|
|
---
|
||
|
|
src/jp2image.cpp | 4 ++++
|
||
|
|
1 file changed, 4 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
||
|
|
index 3cebc2a..6a662fa 100644
|
||
|
|
--- a/src/jp2image.cpp
|
||
|
|
+++ b/src/jp2image.cpp
|
||
|
|
@@ -505,6 +505,10 @@ namespace Exiv2
|
||
|
|
subBox.length = getLong((byte*)&subBox.length, bigEndian);
|
||
|
|
subBox.type = getLong((byte*)&subBox.type, bigEndian);
|
||
|
|
|
||
|
|
+ // subBox.length makes no sense if it is larger than the rest of the file
|
||
|
|
+ if (subBox.length > io_->size() - io_->tell()) {
|
||
|
|
+ throw Error(kerCorruptedMetadata);
|
||
|
|
+ }
|
||
|
|
DataBuf data(subBox.length-sizeof(box));
|
||
|
|
io_->read(data.pData_,data.size_);
|
||
|
|
if ( bPrint ) {
|
||
|
|
--
|
||
|
|
2.27.0
|