!20 fix CVE-2021-3482

From: @zzm_567 Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2021-04-28 11:57:32 +08:00 · 2021-04-28 11:57:32 +08:00 · e5ccdf9c80
commit e5ccdf9c80
parent cc572f864a 4851ee57af
2 changed files with 65 additions and 1 deletions
--- a/CVE-2021-3482.patch
+++ b/CVE-2021-3482.patch
@ -0,0 +1,57 @@
+From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 5 Apr 2021 20:33:25 +0100
+Subject: [PATCH] fix_1522_jp2image_exif_asan
+
+---
+ src/jp2image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index a81e68f..8e36276 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -38,6 +38,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "image.hpp"
+ #include "image_int.hpp"
+ #include "basicio.hpp"
+#include "enforce.hpp"
+ #include "error.hpp"
+ #include "futils.hpp"
+ #include "types.hpp"
+@@ -345,7 +346,7 @@ namespace Exiv2
+                             if (io_->error()) throw Error(14);
+                             if (bufRead != rawData.size_) throw Error(20);
+ 
+-                            if (rawData.size_ > 0)
+                            if (rawData.size_ > 8) // "II*\0long"
+                             {
+                                 // Find the position of Exif header in bytes array.
+                                 long pos = (     (rawData.pData_[0]      == rawData.pData_[1])
+@@ -484,6 +485,7 @@ namespace Exiv2
+                 position   = io_->tell();
+                 box.length = getLong((byte*)&box.length, bigEndian);
+                 box.type   = getLong((byte*)&box.type, bigEndian);
+                enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
+ 
+                 if ( bPrint ) {
+                     out << Internal::stringFormat("%8ld | %8ld | ",position-sizeof(box),box.length) << toAscii(box.type) << "      | " ;
+@@ -560,12 +562,13 @@ namespace Exiv2
+                             if (bufRead != rawData.size_) throw Error(20);
+ 
+                             if ( bPrint ){
+-                                out << Internal::binaryToString(rawData,40,0);
+                                out << Internal::binaryToString(
+                                        rawData, rawData.size_>40?40:rawData.size_, 0);
+                                 out.flush();
+                             }
+                             lf(out,bLF);
+ 
+-                            if(bIsExif && bRecursive && rawData.size_ > 0)
+                            if(bIsExif && bRecursive && rawData.size_ > 8) // "II*\0long"
+                             {
+                                 if ( (rawData.pData_[0]      == rawData.pData_[1])
+                                     &&   (rawData.pData_[0]=='I' || rawData.pData_[0]=='M' )
+-- 
+2.23.0
+
--- a/exiv2.spec
+++ b/exiv2.spec
@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 22
+Release: 23
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@ -58,6 +58,7 @@ Patch6025: backport-Fix-ICC-profile-in-PNG-images.patch
 Patch6026: backport-CVE-2019-13109.patch
 Patch6027: exiv2-CVE-2019-13111.patch
 Patch6028: CVE-2018-9145.patch
+Patch6029: CVE-2021-3482.patch

 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@ -121,6 +122,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/

 %changelog
+* Thu Apr 22 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.26-23
+- Type:cves
+- ID:CVE-2021-3482
+- SUG:NA
+- DESC:fix CVE-2021-3482
+
 * Thu Sep 17 2020 zhanzhimin <zhanzhimin@huawei.com> - 0.26-22
 - Type:cves
 - ID:CVE-2018-9145