From c03f73268f65c73f9d3d7b670f13e48e92692750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
Date: Fri, 18 Sep 2020 14:40:36 +0800
Subject: [PATCH] Prevent SIGABRT on excessive subBox length in jp2image.cpp

This fixes CVE-2018-9145
---
 src/jp2image.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 3cebc2a..6a662fa 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -505,6 +505,10 @@ namespace Exiv2
                             subBox.length = getLong((byte*)&subBox.length, bigEndian);
                             subBox.type   = getLong((byte*)&subBox.type, bigEndian);

+                           // subBox.length makes no sense if it is larger than the rest of the file
+                            if (subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
                             DataBuf data(subBox.length-sizeof(box));
                             io_->read(data.pData_,data.size_);
                             if ( bPrint ) {
--
2.27.0