fix CVE-2019-13109

2020-04-28 18:01:48 +08:00 · 2020-04-28 18:01:48 +08:00 · 0b73b604d3
commit 0b73b604d3
parent 46fb9392a9
4 changed files with 129 additions and 1 deletions
--- a/backport-CVE-2019-13109.patch
+++ b/backport-CVE-2019-13109.patch
@ -0,0 +1,36 @@
+From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kev@semmle.com>
+Date: Thu, 25 Apr 2019 21:31:50 +0100
+Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
+ chunkLength`.
+
+This fixes #790.
+
+(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
+---
+ src/pngimage.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index 49c8336..435dd3b 100644
+--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
+@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+ #include "error.hpp"
+#include "enforce.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+ 
+@@ -480,6 +481,7 @@ namespace Exiv2 {
+                     }
+ 
+                     ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
+ 
+                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+-- 
+1.8.3.1
+
--- a/backport-Fix-ICC-profile-in-PNG-images.patch
+++ b/backport-Fix-ICC-profile-in-PNG-images.patch
@ -0,0 +1,47 @@
+From 466acf56a13a1afa88cefbb249b535088d077c20 Mon Sep 17 00:00:00 2001
+From: Luis Diaz Mas <piponazo@gmail.com>
+Date: Tue, 25 Dec 2018 16:54:26 +0100
+Subject: [PATCH] Fix ICC profile in PNG images
+
+(cherry picked from commit 9a38066b8eddf3948696a3362aac29e012ebe690)
+---
+ src/pngimage.cpp | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index ed7399a..49c8336 100644
+--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
+@@ -468,7 +468,20 @@ namespace Exiv2 {
+                 }
+                 else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4))
+                 {
+-                    zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag
+                    // The ICC profile name can vary from 1-79 characters.
+                    uint32_t iccOffset = 0;
+                    while (iccOffset < 80 && iccOffset < dataOffset) {
+
+                        const byte* profileName = cdataBuf.pData_ + iccOffset;
+                        ++iccOffset;
+
+                        if (*profileName == 0x00)
+                            break;
+                    }
+
+                    ++iccOffset; // +1 = 'compressed' flag
+
+                    zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+                     std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset  << std::endl;
+                     std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
+@@ -627,6 +640,7 @@ namespace Exiv2 {
+ 
+                         // calculate CRC
+                         uLong   tmp = crc32(0L, Z_NULL, 0);
+                        tmp         = crc32(tmp, (const Bytef*)type             ,typeLen);
+                         tmp         = crc32(tmp, (const Bytef*)header           ,headerLen);
+                         tmp         = crc32(tmp, (const Bytef*)compressed.pData_,compressed.size_);
+                         byte    crc[4];
+-- 
+1.8.3.1
+
--- a/36
+++ b/36
@ -0,0 +1,36 @@
+From 1fc5ef40b15735e1b02ec752ec535c19831aafa6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kev@semmle.com>
+Date: Thu, 25 Apr 2019 21:31:50 +0100
+Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
+ chunkLength`.
+
+This fixes #790.
+
+(cherry picked from commit 6fa2e31206127bd8bcac0269311f3775a8d6ea21)
+---
+ src/pngimage.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index 49c8336..435dd3b 100644
+--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
+@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+ #include "error.hpp"
+#include "enforce.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+ 
+@@ -480,6 +481,7 @@ namespace Exiv2 {
+                     }
+ 
+                     ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
+ 
+                     zlibToDataBuf(cdataBuf.pData_ +iccOffset,dataOffset-iccOffset,iccProfile_);
+ #ifdef DEBUG
+-- 
+1.8.3.1
+
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 18
+Release: 19
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -54,6 +54,8 @@ Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
 Patch6022: CVE-2018-4868.patch
 Patch6023: backport-CVE-2018-10772.patch
 Patch6024: CVE-2018-11037.patch
+Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
+Patch6026: backport-CVE-2019-13109.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -117,6 +119,13 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Tue Apr 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-19
+- Type:cves
+- ID:CVE-2019-13109
+- SUG:NA
+- DESC:fix CVE-2019-13109
+       fix ICC profile in PNG images
+
 * Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
 - Type:cves
 - ID:CVE-2018-11037