packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-3482

Browse Source
This commit is contained in:
zhanzhimin 2021-04-22 17:25:51 +08:00 committed by zhanzhimin
parent cc572f864a
commit 4851ee57af
2 changed files with 65 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
CVE-2021-3482.patch Normal file
View File

@ -0,0 +1,57 @@
From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
From: Robin Mills <robin@clanmills.com>
Date: Mon, 5 Apr 2021 20:33:25 +0100
Subject: [PATCH] fix_1522_jp2image_exif_asan
---
src/jp2image.cpp | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index a81e68f..8e36276 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$")
#include "image.hpp"
#include "image_int.hpp"
#include "basicio.hpp"
+#include "enforce.hpp"
#include "error.hpp"
#include "futils.hpp"
#include "types.hpp"
@@ -345,7 +346,7 @@ namespace Exiv2
if (io_->error()) throw Error(14);
if (bufRead != rawData.size_) throw Error(20);
- if (rawData.size_ > 0)
+ if (rawData.size_ > 8) // "II*\0long"
{
// Find the position of Exif header in bytes array.
long pos = ( (rawData.pData_[0] == rawData.pData_[1])
@@ -484,6 +485,7 @@ namespace Exiv2
position = io_->tell();
box.length = getLong((byte*)&box.length, bigEndian);
box.type = getLong((byte*)&box.type, bigEndian);
+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
if ( bPrint ) {
out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << " | " ;
@@ -560,12 +562,13 @@ namespace Exiv2
if (bufRead != rawData.size_) throw Error(20);
if ( bPrint ){
- out << Internal::binaryToString(rawData,40,0);
+ out << Internal::binaryToString(
+ rawData, rawData.size_>40?40:rawData.size_, 0);
out.flush();
}
lf(out,bLF);
- if(bIsExif && bRecursive && rawData.size_ > 0)
+ if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long"
{
if ( (rawData.pData_[0] == rawData.pData_[1])
&& (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' )
--
2.23.0

9
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.26 Version: 0.26
Release: 22 Release: 23
Summary: Exif, IPTC and XMP metadata and the ICC Profile Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
@ -58,6 +58,7 @@ Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
Patch6026: backport-CVE-2019-13109.patch Patch6026: backport-CVE-2019-13109.patch
Patch6027: exiv2-CVE-2019-13111.patch Patch6027: exiv2-CVE-2019-13111.patch
Patch6028: CVE-2018-9145.patch Patch6028: CVE-2018-9145.patch
Patch6029: CVE-2021-3482.patch
Provides: exiv2-libs Provides: exiv2-libs
Obsoletes: exiv2-libs Obsoletes: exiv2-libs
@ -121,6 +122,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/ %{_datadir}/doc/html/
%changelog %changelog
* Thu Apr 22 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.26-23
- Type:cves
- ID:CVE-2021-3482
- SUG:NA
- DESC:fix CVE-2021-3482
* Thu Sep 17 2020 zhanzhimin <zhanzhimin@huawei.com> - 0.26-22 * Thu Sep 17 2020 zhanzhimin <zhanzhimin@huawei.com> - 0.26-22
- Type:cves - Type:cves
- ID:CVE-2018-9145 - ID:CVE-2018-9145