Blame SOURCES/exiv2-CVE-2017-17669.patch

3f58c5
From 06aa7ab69d0c4f3d14644bd84fc9d1346154430d Mon Sep 17 00:00:00 2001
3f58c5
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
3f58c5
Date: Mon, 22 Jan 2018 23:56:08 +0100
3f58c5
Subject: Fix out of bounds read in src/pngchunk_int.cpp by @brianmay
3f58c5
3f58c5
- consider that key is advanced by 8 bytes if stripHeader is true
3f58c5
  => length is reduced by same amount
3f58c5
  Fixed by adding offset to the check in the loop
3f58c5
- Rewrote loop so that keysize is checked before the next
3f58c5
  iteration (preventing an out of bounds read)
3f58c5
3f58c5
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
3f58c5
index da4ccd01..b54bcdac 100644
3f58c5
--- a/src/pngchunk.cpp
3f58c5
+++ b/src/pngchunk.cpp
3f58c5
@@ -107,15 +107,17 @@ namespace Exiv2 {
3f58c5
     {
3f58c5
         // From a tEXt, zTXt, or iTXt chunk,
3f58c5
         // we get the key, it's a null terminated string at the chunk start
3f58c5
-        if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
3f58c5
-        const byte *key = data.pData_ + (stripHeader ? 8 : 0);
3f58c5
+        const int offset = stripHeader ? 8 : 0;
3f58c5
+        if (data.size_ <= offset) throw Error(14);
3f58c5
+        const byte *key = data.pData_ + offset;
3f58c5
 
3f58c5
         // Find null string at end of key.
3f58c5
         int keysize=0;
3f58c5
-        for ( ; key[keysize] != 0 ; keysize++)
3f58c5
+        while (key[keysize] != 0)
3f58c5
         {
3f58c5
+            keysize++;
3f58c5
             // look if keysize is valid.
3f58c5
-            if (keysize >= data.size_)
3f58c5
+            if (keysize+offset >= data.size_)
3f58c5
                 throw Error(14);
3f58c5
         }
3f58c5