packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 fix cve-2021-29470

Browse Source 
From: @kerongw
Reviewed-by: @shirely16,@yanan-rock
Signed-off-by: @yanan-rock
This commit is contained in:
openeuler-ci-bot 2021-05-08 17:58:50 +08:00 committed by Gitee
commit 050bf70d50
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
backport-CVE-2021-29470.patch Normal file
View File

@ -0,0 +1,39 @@
From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 21 Apr 2021 12:06:04 +0100
Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
---
src/jp2image.cpp | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 917d115..0825d99 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -626,15 +626,18 @@ namespace Exiv2
void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
{
DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
- int outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
- int inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+ long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_;
- int32_t length = getLong((byte*)&pBox->length, bigEndian);
- int32_t count = sizeof (Jp2BoxHeader);
+ uint32_t length = getLong((byte*)&pBox->length, bigEndian);
+ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+ uint32_t count = sizeof (Jp2BoxHeader);
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
while ( count < length || !bWroteColor ) {
+ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
--
2.23.0

9
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.26 Version: 0.26
Release: 24 Release: 25
Summary: Exif, IPTC and XMP metadata and the ICC Profile Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
@ -61,6 +61,7 @@ Patch6028: CVE-2018-9145.patch
Patch6029: CVE-2021-3482.patch Patch6029: CVE-2021-3482.patch
Patch6030: backport-CVE-2021-29457.patch Patch6030: backport-CVE-2021-29457.patch
Patch6031: backport-CVE-2021-29458.patch Patch6031: backport-CVE-2021-29458.patch
Patch6032: backport-CVE-2021-29470.patch
Provides: exiv2-libs Provides: exiv2-libs
Obsoletes: exiv2-libs Obsoletes: exiv2-libs
@ -124,6 +125,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/ %{_datadir}/doc/html/
%changelog %changelog
* Sat May 08 2021 wangkerong <wangkerong@huawei.com> - 0.26-25
- Type:cve
- ID:CVE-2021-29470
- SUG:NA
- DESC:fix CVE-2021-29470
* Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24 * Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
- Type:cves - Type:cves
- ID:CVE-2021-29457 CVE-2021-29458 - ID:CVE-2021-29457 CVE-2021-29458