43 lines
1.7 KiB
Diff
43 lines
1.7 KiB
Diff
|
From 0d04a6d900010c754d578ef27d5c26190dc59d2b Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
|
||
|
|
Date: Mon, 26 Mar 2018 00:34:25 +0200
|
||
|
|
Subject: [PATCH] Fix CVE-2017-1000126
|
||
|
|
|
||
|
|
CVE-2017-1000126 is a Stack out of bounds read in the WebP parser caused by the
|
||
|
|
parameter size & filesize being too large, causing the parser to land in an
|
||
|
|
infinite loop and eventually crash. Enforcing that the size over which the
|
||
|
|
parser iterates is smaller than the file fixes this issue.
|
||
|
|
|
||
|
|
This fixes #175.
|
||
|
|
|
||
|
|
(cherry picked from commit 3c20cc06a9ede4e277a9efe94e211c20ceb0ce8d)
|
||
|
|
---
|
||
|
|
src/webpimage.cpp | 8 ++++++--
|
||
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/webpimage.cpp b/src/webpimage.cpp
|
||
|
|
index 45d642109..eb5649728 100644
|
||
|
|
--- a/src/webpimage.cpp
|
||
|
|
+++ b/src/webpimage.cpp
|
||
|
|
@@ -493,7 +494,9 @@ namespace Exiv2 {
|
||
|
|
|
||
|
|
io_->read(data, WEBP_TAG_SIZE * 3);
|
||
|
|
|
||
|
|
- WebPImage::decodeChunks(Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 12);
|
||
|
|
+ const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8;
|
||
|
|
+ enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata);
|
||
|
|
+ WebPImage::decodeChunks(filesize);
|
||
|
|
|
||
|
|
} // WebPImage::readMetadata
|
||
|
|
|
||
|
|
@@ -511,7 +514,8 @@ namespace Exiv2 {
|
||
|
|
while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
|
||
|
|
io_->read(chunkId.pData_, WEBP_TAG_SIZE);
|
||
|
|
io_->read(size_buff, WEBP_TAG_SIZE);
|
||
|
|
- long size = Exiv2::getULong(size_buff, littleEndian);
|
||
|
|
+ const uint32_t size = Exiv2::getULong(size_buff, littleEndian);
|
||
|
|
+ enforce(size <= (filesize - io_->tell()), Exiv2::kerCorruptedMetadata);
|
||
|
|
|
||
|
|
DataBuf payload(size);
|
||
|
|
|