fix CVE-2019-13109

2020-04-28 18:01:48 +08:00 · 2020-04-28 18:01:48 +08:00 · 0b73b604d3
commit 0b73b604d3
parent 46fb9392a9
4 changed files with 129 additions and 1 deletions
--- a/backport-CVE-2019-13109.patch
+++ b/backport-CVE-2019-13109.patch
@ -0,0 +1,36 @@
 From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kev@semmle.com>
 Date: Thu, 25 Apr 2019 21:31:50 +0100
 Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
 chunkLength`.
 This fixes #790.
 (cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
 ---
 src/pngimage.cpp | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/pngimage.cpp b/src/pngimage.cpp
 index 49c8336..435dd3b 100644
 --- a/src/pngimage.cpp
 +++ b/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
 +#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
@@ -480,6 +481,7 @@ namespace Exiv2 {
                     }
                     ++iccOffset; // +1 = 'compressed' flag
 +                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
 #ifdef DEBUG
 -- 
 1.8.3.1
--- a/backport-Fix-ICC-profile-in-PNG-images.patch
+++ b/backport-Fix-ICC-profile-in-PNG-images.patch
@ -0,0 +1,47 @@
 From 466acf56a13a1afa88cefbb249b535088d077c20 Mon Sep 17 00:00:00 2001
 From: Luis Diaz Mas <piponazo@gmail.com>
 Date: Tue, 25 Dec 2018 16:54:26 +0100
 Subject: [PATCH] Fix ICC profile in PNG images
 (cherry picked from commit 9a38066b8eddf3948696a3362aac29e012ebe690)
 ---
 src/pngimage.cpp | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
 diff --git a/src/pngimage.cpp b/src/pngimage.cpp
 index ed7399a..49c8336 100644
 --- a/src/pngimage.cpp
 +++ b/src/pngimage.cpp
@@ -468,7 +468,20 @@ namespace Exiv2 {
                 }
                 else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4))
                 {
 -                    zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag
 +                    // The ICC profile name can vary from 1-79 characters.
 +                    uint32_t iccOffset = 0;
 +                    while (iccOffset < 80 && iccOffset < dataOffset) {
 +
 +                        const byte* profileName = cdataBuf.pData_ + iccOffset;
 +                        ++iccOffset;
 +
 +                        if (*profileName == 0x00)
 +                            break;
 +                    }
 +
 +                    ++iccOffset; // +1 = 'compressed' flag
 +
 +                    zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
 #ifdef DEBUG
                     std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset  << std::endl;
                     std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
@@ -627,6 +640,7 @@ namespace Exiv2 {
                         // calculate CRC
                         uLong   tmp = crc32(0L, Z_NULL, 0);
 +                        tmp         = crc32(tmp, (const Bytef*)type             ,typeLen);
                         tmp         = crc32(tmp, (const Bytef*)header           ,headerLen);
                         tmp         = crc32(tmp, (const Bytef*)compressed.pData_,compressed.size_);
                         byte    crc[4];
 -- 
 1.8.3.1
--- a/36
+++ b/36
@ -0,0 +1,36 @@
 From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
 From: Kevin Backhouse <kev@semmle.com>
 Date: Thu, 25 Apr 2019 21:31:50 +0100
 Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
 chunkLength`.
 This fixes #790.
 (cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
 ---
 src/pngimage.cpp | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/pngimage.cpp b/src/pngimage.cpp
 index 49c8336..435dd3b 100644
 --- a/src/pngimage.cpp
 +++ b/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
 +#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
@@ -480,6 +481,7 @@ namespace Exiv2 {
                     }
                     ++iccOffset; // +1 = 'compressed' flag
 +                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
 #ifdef DEBUG
 -- 
 1.8.3.1
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 18
+Release: 19
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -54,6 +54,8 @@ Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
 Patch6022: CVE-2018-4868.patch
 Patch6023: backport-CVE-2018-10772.patch
 Patch6024: CVE-2018-11037.patch
 Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
 Patch6026: backport-CVE-2019-13109.patch
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -117,6 +119,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/
 %changelog
 * Tue Apr 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-19
 - Type:cves
 - ID:CVE-2019-13109
 - SUG:NA
 - DESC:fix CVE-2019-13109
       fix ICC profile in PNG images
 * Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
 - Type:cves
 - ID:CVE-2018-11037