!3 fix CVE-2018-11037

Merge pull request !3 from Vchanger/cve
2020-04-16 11:41:28 +08:00 · 2020-04-16 11:41:28 +08:00 · 46fb9392a9
commit 46fb9392a9
parent e16270f20e 6629f03167
2 changed files with 53 additions and 1 deletions
--- a/CVE-2018-11037.patch
+++ b/CVE-2018-11037.patch
@ -0,0 +1,45 @@
+From e40c9c148e4d2135d0d732b8dff994a9afde3394 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Fri, 6 Jul 2018 11:51:55 +0200
+Subject: [PATCH] Remove buffer overread in tExtToDataBuf
+
+The pointer p is advanced in the while loop to step over three '\n'.
+However, its length is never reduced accordingly. => the length check in the
+following for loop is invalid, as it permits overreading by the number of
+characters that p was advanced by.
+---
+ src/pngimage.cpp | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index dc623c4..a99a20b 100644
+--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
+@@ -160,12 +160,21 @@ namespace Exiv2 {
+         }
+ 
+         // calculate length and allocate result;
+        // count: number of \n in the header
+         long        count=0;
+        // p points to the current position in the array bytes
+         const byte* p = bytes ;
+-        // header is \nsomething\n number\n hex
+-        while ( count < 3 )
+-            if ( *p++ == '\n' )
+
+        // header is '\nsomething\n number\n hex'
+        // => increment p until it points to the byte after the last \n
+        //    p must stay within bounds of the bytes array!
+        while ((count < 3) && (p - bytes < length)) {
+            // length is later used for range checks of p => decrement it for each increment of p
+            --length;
+            if ( *p++ == '\n' ) {
+                 count++;
+            }
+        }
+         for ( long i = 0 ; i < length ; i++ )
+             if ( value[p[i]] )
+                 ++count;
+-- 
+1.8.3.1
+
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 17
+Release: 18
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -53,6 +53,7 @@ Patch6020: CVE-2018-17581.patch
 Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
 Patch6022: CVE-2018-4868.patch
 Patch6023: backport-CVE-2018-10772.patch
+Patch6024: CVE-2018-11037.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -116,6 +117,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
+- Type:cves
+- ID:CVE-2018-11037
+- SUG:NA
+- DESC:fix CVE-2018-11037
+
 * Wed Mar 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-17
 - Type:cves
 - ID:NA