!17 fix CVE-2018-9145

From: @zzm_567 Reviewed-by: @orange-snn Signed-off-by: @orange-snn
2020-09-18 16:12:55 +08:00 · 2020-09-18 16:12:55 +08:00 · cc572f864a
commit cc572f864a
parent 36954497c2 fff613f338
2 changed files with 35 additions and 1 deletions
--- a/CVE-2018-9145.patch
+++ b/CVE-2018-9145.patch
@ -0,0 +1,27 @@
+From c03f73268f65c73f9d3d7b670f13e48e92692750 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
+Date: Fri, 18 Sep 2020 14:40:36 +0800
+Subject: [PATCH] Prevent SIGABRT on excessive subBox length in jp2image.cpp
+
+This fixes CVE-2018-9145
+---
+ src/jp2image.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 3cebc2a..6a662fa 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -505,6 +505,10 @@ namespace Exiv2
+                             subBox.length = getLong((byte*)&subBox.length, bigEndian);
+                             subBox.type   = getLong((byte*)&subBox.type, bigEndian);
+
+                           // subBox.length makes no sense if it is larger than the rest of the file
+                            if (subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
+                             DataBuf data(subBox.length-sizeof(box));
+                             io_->read(data.pData_,data.size_);
+                             if ( bPrint ) {
+--
+2.27.0
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 21
+Release: 22
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -57,6 +57,7 @@ Patch6024: CVE-2018-11037.patch
 Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
 Patch6026: backport-CVE-2019-13109.patch
 Patch6027: exiv2-CVE-2019-13111.patch
+Patch6028: CVE-2018-9145.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -120,6 +121,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Thu Sep 17 2020 zhanzhimin <zhanzhimin@huawei.com> - 0.26-22
+- Type:cves
+- ID:CVE-2018-9145
+- SUG:NA
+- DESC:fix CVE-2018-9145
+
 * Tue Sep 8 2020 hanhui <hanhui15@huawei.com> - 0.26.21
 - Type:bugfix
 - ID:NA