!29 fix cve-2021-29470

From: @kerongw Reviewed-by: @shirely16,@yanan-rock Signed-off-by: @yanan-rock
2021-05-08 17:58:50 +08:00 · 2021-05-08 17:58:50 +08:00 · 050bf70d50
commit 050bf70d50
parent 587356ebec bc407b1224
2 changed files with 47 additions and 1 deletions
--- a/backport-CVE-2021-29470.patch
+++ b/backport-CVE-2021-29470.patch
@ -0,0 +1,39 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+
+---
+ src/jp2image.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 917d115..0825d99 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -626,15 +626,18 @@ namespace Exiv2
+     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+     {
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        long     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+        long     inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+	enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+-        int32_t       count  = sizeof (Jp2BoxHeader);
+        uint32_t       length = getLong((byte*)&pBox->length, bigEndian);
+	enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+        uint32_t       count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+         while ( count < length || !bWroteColor ) {
+	    enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-- 
+2.23.0
+
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 24
+Release: 25
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -61,6 +61,7 @@ Patch6028: CVE-2018-9145.patch
 Patch6029: CVE-2021-3482.patch
 Patch6030: backport-CVE-2021-29457.patch
 Patch6031: backport-CVE-2021-29458.patch
+Patch6032: backport-CVE-2021-29470.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -124,6 +125,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Sat May 08 2021 wangkerong <wangkerong@huawei.com> - 0.26-25
+- Type:cve
+- ID:CVE-2021-29470
+- SUG:NA
+- DESC:fix CVE-2021-29470
+
 * Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
 - Type:cves
 - ID:CVE-2021-29457 CVE-2021-29458