fix CVE-2021-29457 CVE-2021-29458

2021-04-29 11:16:06 +08:00 · 2021-04-29 11:16:06 +08:00 · 6a6d8fb8ca
commit 6a6d8fb8ca
parent e5ccdf9c80
3 changed files with 67 additions and 1 deletions
--- a/backport-CVE-2021-29457.patch
+++ b/backport-CVE-2021-29457.patch
@ -0,0 +1,29 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+---
+ src/jp2image.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index b21f7f1..917d115 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -756,9 +756,10 @@ namespace Exiv2
+ #endif
+                 box.length = io_->size() - io_->tell() + 8;
+             }
+-            if (box.length == 1)
+            if (box.length < 8)
+             {
+-                // FIXME. Special case. the real box size is given in another place.
+		// box is broken, so there is nothing we can do here
+                throw Error(kerCorruptedMetadata);
+             }
+ 
+             // Read whole box : Box header + Box data (not fixed size - can be null).
+-- 
+2.23.0
+
--- a/backport-CVE-2021-29458.patch
+++ b/backport-CVE-2021-29458.patch
@ -0,0 +1,29 @@
+From c98d372b48adc6de859dc04e2e0c33441cfe136c Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:11:38 +0200
+Subject: [PATCH] Fix out of buffer access in #1530
+
+---
+ src/crwimage_int.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/crwimage.cpp b/src/crwimage.cpp
+index a44a67e2c..9155e0042 100644
+--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
+@@ -1186,11 +1186,13 @@ namespace Exiv2 {
+         CiffComponent* cc = pHead->findComponent(pCrwMapping->crwTagId_,
+                                                  pCrwMapping->crwDir_);
+         if (edX != edEnd || edY != edEnd || edO != edEnd) {
+-            uint32_t size = 28;
+            size_t size = 28;
+             if (cc && cc->size() > size) size = cc->size();
+             DataBuf buf(size);
+             std::memset(buf.pData_, 0x0, buf.size_);
+-            if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+            if (cc && cc->size() > 8) {
+                std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
+            }
+             if (edX != edEnd && edX->size() == 4) {
+                 edX->copy(buf.pData_, pHead->byteOrder());
+             }
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 23
+Release: 24
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -59,6 +59,8 @@ Patch6026: backport-CVE-2019-13109.patch
 Patch6027: exiv2-CVE-2019-13111.patch
 Patch6028: CVE-2018-9145.patch
 Patch6029: CVE-2021-3482.patch
+Patch6030: backport-CVE-2021-29457.patch
+Patch6031: backport-CVE-2021-29458.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -122,6 +124,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
+- Type:cves
+- ID:CVE-2021-29457 CVE-2021-29458
+- SUG:NA
+- DESC:fix CVE-2021-29457,CVE-2021-29458
+
 * Thu Apr 22 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.26-23
 - Type:cves
 - ID:CVE-2021-3482