From 0d04a6d900010c754d578ef27d5c26190dc59d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Mon, 26 Mar 2018 00:34:25 +0200 Subject: [PATCH] Fix CVE-2017-1000126 CVE-2017-1000126 is a Stack out of bounds read in the WebP parser caused by the parameter size & filesize being too large, causing the parser to land in an infinite loop and eventually crash. Enforcing that the size over which the parser iterates is smaller than the file fixes this issue. This fixes #175. (cherry picked from commit 3c20cc06a9ede4e277a9efe94e211c20ceb0ce8d) --- src/webpimage.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/webpimage.cpp b/src/webpimage.cpp index 45d642109..eb5649728 100644 --- a/src/webpimage.cpp +++ b/src/webpimage.cpp @@ -493,7 +494,9 @@ namespace Exiv2 { io_->read(data, WEBP_TAG_SIZE * 3); - WebPImage::decodeChunks(Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 12); + const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8; + enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata); + WebPImage::decodeChunks(filesize); } // WebPImage::readMetadata @@ -511,7 +514,8 @@ namespace Exiv2 { while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { io_->read(chunkId.pData_, WEBP_TAG_SIZE); io_->read(size_buff, WEBP_TAG_SIZE); - long size = Exiv2::getULong(size_buff, littleEndian); + const uint32_t size = Exiv2::getULong(size_buff, littleEndian); + enforce(size <= (filesize - io_->tell()), Exiv2::kerCorruptedMetadata); DataBuf payload(size);