packages/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

exiv2: fix CVE-2018-11037

Browse Source
This commit is contained in:
Vchanger 2020-04-16 10:28:24 +08:00
parent e16270f20e
commit 6629f03167
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
CVE-2018-11037.patch Normal file
View File

@ -0,0 +1,45 @@
From e40c9c148e4d2135d0d732b8dff994a9afde3394 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Jul 2018 11:51:55 +0200
Subject: [PATCH] Remove buffer overread in tExtToDataBuf
The pointer p is advanced in the while loop to step over three '\n'.
However, its length is never reduced accordingly. => the length check in the
following for loop is invalid, as it permits overreading by the number of
characters that p was advanced by.
---
src/pngimage.cpp | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index dc623c4..a99a20b 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -160,12 +160,21 @@ namespace Exiv2 {
}
// calculate length and allocate result;
+ // count: number of \n in the header
long count=0;
+ // p points to the current position in the array bytes
const byte* p = bytes ;
- // header is \nsomething\n number\n hex
- while ( count < 3 )
- if ( *p++ == '\n' )
+
+ // header is '\nsomething\n number\n hex'
+ // => increment p until it points to the byte after the last \n
+ // p must stay within bounds of the bytes array!
+ while ((count < 3) && (p - bytes < length)) {
+ // length is later used for range checks of p => decrement it for each increment of p
+ --length;
+ if ( *p++ == '\n' ) {
count++;
+ }
+ }
for ( long i = 0 ; i < length ; i++ )
if ( value[p[i]] )
++count;
--
1.8.3.1

9
exiv2.spec
View File

@ -1,6 +1,6 @@
Name: exiv2 Name: exiv2
Version: 0.26 Version: 0.26
Release: 17 Release: 18
Summary: Exif, IPTC and XMP metadata and the ICC Profile Summary: Exif, IPTC and XMP metadata and the ICC Profile
License: GPLv2+ License: GPLv2+
URL: http://www.exiv2.org/ URL: http://www.exiv2.org/
@ -53,6 +53,7 @@ Patch6020: CVE-2018-17581.patch
Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
Patch6022: CVE-2018-4868.patch Patch6022: CVE-2018-4868.patch
Patch6023: backport-CVE-2018-10772.patch Patch6023: backport-CVE-2018-10772.patch
Patch6024: CVE-2018-11037.patch
Provides: exiv2-libs Provides: exiv2-libs
Obsoletes: exiv2-libs Obsoletes: exiv2-libs
@ -116,6 +117,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
%{_datadir}/doc/html/ %{_datadir}/doc/html/
%changelog %changelog
* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
- Type:cves
- ID:CVE-2018-11037
- SUG:NA
- DESC:fix CVE-2018-11037
* Wed Mar 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-17 * Wed Mar 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-17
- Type:cves - Type:cves
- ID:NA - ID:NA