packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2019-13111

Browse Source
This commit is contained in:
maqiang999 2020-05-21 19:18:37 +08:00
parent b80d061fd9
commit 53d925b15b
2 changed files with 205 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
exiv2-CVE-2019-13111.patch Normal file
View File

@ -0,0 +1,197 @@
From c73d1e27198a389ce7caf52ac30f8e2120acdafd Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Fri, 26 Apr 2019 10:21:46 +0100
Subject: [PATCH 1/1] Avoid negative integer overflow when `filesize <
io_->tell()`.
This fixes #791.
---
include/exiv2/basicio.hpp | 21 +++++++++++++++++++++
include/exiv2/webpimage.hpp | 2 +-
src/basicio.cpp | 14 ++++++++++++++
src/webpimage.cpp | 26 +++++++++++++++-----------
diff -Naur a/include/exiv2/basicio.hpp b/include/exiv2/basicio.hpp
--- a/include/exiv2/basicio.hpp 2020-05-21 17:33:11.452872734 +0800
+++ b/include/exiv2/basicio.hpp 2020-05-21 18:25:25.577619496 +0800
@@ -28,6 +28,7 @@
// *****************************************************************************
// included header files
#include "types.hpp"
+#include "error.hpp"
#include "futils.hpp"
// + standard includes
@@ -155,6 +156,26 @@
*/
virtual long read(byte* buf, long rcount) = 0;
/*!
+ @brief Read data from the IO source. Reading starts at the current
+ IO position and the position is advanced by the number of bytes
+ read. Throw an exception if not enough bytes are available.
+ @param rcount Number of bytes to read.
+ @param err ErrorCode to throw if not enough bytes are available.
+ @return DataBuf instance containing the bytes read.
+ */
+ DataBuf readOrThrow(long rcount, ErrorCode err);
+ /*!
+ @brief Read data from the IO source. Reading starts at the current
+ IO position and the position is advanced by the number of bytes
+ read. Throw an exception if not enough bytes are available.
+ @param buf Pointer to a block of memory into which the read data
+ is stored. The memory block must be at least \em rcount bytes
+ long.
+ @param err ErrorCode to throw if not enough bytes are available.
+ @param rcount Number of bytes to read.
+ */
+ void readOrThrow(byte* buf, long rcount, ErrorCode err);
+ /*!
@brief Read one byte from the IO source. Current IO position is
advanced by one byte.
@return The byte read from the IO source if successful;<BR>
diff -Naur a/include/exiv2/webpimage.hpp b/include/exiv2/webpimage.hpp
--- a/include/exiv2/webpimage.hpp 2020-05-21 17:33:11.452872734 +0800
+++ b/include/exiv2/webpimage.hpp 2020-05-21 18:27:02.307763543 +0800
@@ -95,7 +95,7 @@
byte *header, long header_size);
bool equalsWebPTag(Exiv2::DataBuf& buf ,const char* str);
void debugPrintHex(byte *data, long size);
- void decodeChunks(uint64_t filesize);
+ void decodeChunks(uint32_t filesize);
void inject_VP8X(BasicIo& iIo, bool has_xmp, bool has_exif,
bool has_alpha, bool has_icc, int width,
int height);
diff -Naur a/src/basicio.cpp b/src/basicio.cpp
--- a/src/basicio.cpp 2020-05-21 17:33:11.472872765 +0800
+++ b/src/basicio.cpp 2020-05-21 18:29:18.497966466 +0800
@@ -33,6 +33,7 @@
#include "futils.hpp"
#include "types.hpp"
#include "error.hpp"
+#include "enforce.hpp"
#include "http.hpp"
#include "properties.hpp"
@@ -83,6 +84,18 @@
BasicIo::~BasicIo()
{
}
+ DataBuf BasicIo::readOrThrow(long rcount, ErrorCode err) {
+ DataBuf result = read(rcount);
+ enforce(result.size_ == rcount, err);
+ enforce(!error(), err);
+ return result;
+ }
+
+ void BasicIo::readOrThrow(byte* buf, long rcount, ErrorCode err) {
+ const long nread = read(buf, rcount);
+ enforce(nread == rcount, err);
+ enforce(!error(), err);
+ }
//! Internal Pimpl structure of class FileIo.
class FileIo::Impl {
diff -Naur a/src/webpimage.cpp b/src/webpimage.cpp
--- a/src/webpimage.cpp 2020-05-21 17:33:11.472872765 +0800
+++ b/src/webpimage.cpp 2020-05-21 19:05:02.951135410 +0800
@@ -493,7 +493,7 @@
DataBuf chunkId(5);
chunkId.pData_[4] = '\0' ;
- io_->read(data, WEBP_TAG_SIZE * 3);
+ io_->readOrThrow(data, WEBP_TAG_SIZE * 3, Exiv2::kerCorruptedMetadata);
const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8;
enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata);
@@ -501,7 +501,7 @@
} // WebPImage::readMetadata
- void WebPImage::decodeChunks(uint64_t filesize)
+ void WebPImage::decodeChunks(uint32_t filesize)
{
DataBuf chunkId(5);
byte size_buff[WEBP_TAG_SIZE];
@@ -513,9 +513,10 @@
chunkId.pData_[4] = '\0' ;
while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
- io_->read(chunkId.pData_, WEBP_TAG_SIZE);
- io_->read(size_buff, WEBP_TAG_SIZE);
+ io_->readOrThrow(chunkId.pData_, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
+ io_->readOrThrow(size_buff, WEBP_TAG_SIZE, Exiv2::kerCorruptedMetadata);
const uint32_t size = Exiv2::getULong(size_buff, littleEndian);
+ enforce(io_->tell() <= filesize, Exiv2::kerCorruptedMetadata);
enforce(size <= (filesize - io_->tell()), Exiv2::kerCorruptedMetadata);
DataBuf payload(size);
@@ -526,7 +527,7 @@
has_canvas_data = true;
byte size_buf[WEBP_TAG_SIZE];
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
// Fetch width
memcpy(&size_buf, &payload.pData_[4], 3);
@@ -541,7 +542,7 @@
enforce(size >= 10, Exiv2::kerCorruptedMetadata);
has_canvas_data = true;
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
byte size_buf[WEBP_TAG_SIZE];
// Fetch width""
@@ -562,7 +563,7 @@
byte size_buf_w[2];
byte size_buf_h[3];
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
// Fetch width
memcpy(&size_buf_w, &payload.pData_[1], 2);
@@ -580,7 +581,7 @@
has_canvas_data = true;
byte size_buf[WEBP_TAG_SIZE];
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
// Fetch width
memcpy(&size_buf, &payload.pData_[6], 3);
@@ -592,10 +593,10 @@
size_buf[3] = 0;
pixelHeight_ = Exiv2::getULong(size_buf, littleEndian) + 1;
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ICCP)) {
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
this->setIccProfile(payload);
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_EXIF)) {
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
byte size_buff[2];
byte exifLongHeader[] = { 0xFF, 0x01, 0xFF, 0xE1 };
@@ -676,7 +677,7 @@
if (rawExifData) free(rawExifData);
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_XMP)) {
- io_->read(payload.pData_, payload.size_);
+ io_->readOrThrow(payload.pData_, payload.size_, Exiv2::kerCorruptedMetadata);
xmpPacket_.assign(reinterpret_cast<char*>(payload.pData_), payload.size_);
if (xmpPacket_.size() > 0 && XmpParser::decode(xmpData_, xmpPacket_)) {
#ifndef SUPPRESS_WARNINGS
@@ -708,7 +709,10 @@
}
bool isWebPType(BasicIo& iIo, bool /*advance*/)
- {
+ {
+ if (iIo.size() < 12) {
+ return false;
+ }
const int32_t len = 4;
const unsigned char RiffImageId[4] = { 'R', 'I', 'F' ,'F'};
const unsigned char WebPImageId[4] = { 'W', 'E', 'B' ,'P'};

9
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2
Version: 0.26
Release: 19
Release: 20
Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+
URL: http://www.exiv2.org/
@ -56,6 +56,7 @@ Patch6023: backport-CVE-2018-10772.patch
Patch6024: CVE-2018-11037.patch
Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
Patch6026: backport-CVE-2019-13109.patch
Patch6027: exiv2-CVE-2019-13111.patch
Provides: exiv2-libs
Obsoletes: exiv2-libs
@ -119,6 +120,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/
%changelog
* Thu May 21 2020 liuzongyu <liuzonyu3@huawei.com> - 0.26-20
- Type:cves
- ID:CVE-2019-13111
- SUG:NA
- DESC:fix CVE-2019-13111
* Tue Apr 28 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-19
- Type:cves
- ID:CVE-2019-13109