rpms / compat-exiv2-026

Clone
Source Code
GIT

Blame SOURCES/exiv2-CVE-2017-17723.patch

c7 c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s
  1.   c7-beta
  2.   SOURCES
  3.   exiv2-CVE-2017-17723.patch
Blob History Raw
cc1899 
diff --git a/include/exiv2/value.hpp b/include/exiv2/value.hpp
cc1899 
index 64a8ca7..4e9f285 100644
cc1899 
--- a/include/exiv2/value.hpp
cc1899 
+++ b/include/exiv2/value.hpp
cc1899 
@@ -1658,11 +1658,13 @@ namespace Exiv2 {
cc1899 
         ok_ = true;
cc1899 
         return static_cast<long>(value_[n]);
cc1899 
     }
cc1899 
+// #55 crash when value_[n].first == LONG_MIN
cc1899 
+#define LARGE_INT 1000000
cc1899 
     // Specialization for rational
cc1899 
     template<>
cc1899 
     inline long ValueType<Rational>::toLong(long n) const
cc1899 
     {
cc1899 
-        ok_ = (value_[n].second != 0);
cc1899 
+        ok_ = (value_[n].second != 0 && -LARGE_INT < value_[n].first && value_[n].first < LARGE_INT);
cc1899 
         if (!ok_) return 0;
cc1899 
         return value_[n].first / value_[n].second;
cc1899 
     }
cc1899 
@@ -1670,7 +1672,7 @@ namespace Exiv2 {
cc1899 
     template<>
cc1899 
     inline long ValueType<URational>::toLong(long n) const
cc1899 
     {
cc1899 
-        ok_ = (value_[n].second != 0);
cc1899 
+        ok_ = (value_[n].second != 0 && value_[n].first < LARGE_INT);
cc1899 
         if (!ok_) return 0;
cc1899 
         return value_[n].first / value_[n].second;
cc1899 
     }
cc1899 
diff --git a/src/basicio.cpp b/src/basicio.cpp
cc1899 
index 1ede931..eac756f 100644
cc1899 
--- a/src/basicio.cpp
cc1899 
+++ b/src/basicio.cpp
cc1899 
@@ -990,6 +990,7 @@ namespace Exiv2 {
cc1899 
     DataBuf FileIo::read(long rcount)
cc1899 
     {
cc1899 
         assert(p_->fp_ != 0);
cc1899 
+        if ( (size_t) rcount > size() ) throw Error(57);
cc1899 
         DataBuf buf(rcount);
cc1899 
         long readCount = read(buf.pData_, buf.size_);
cc1899 
         buf.size_ = readCount;
cc1899 
diff --git a/src/image.cpp b/src/image.cpp
cc1899 
index 31b9b81..eeb1f37 100644
cc1899 
--- a/src/image.cpp
cc1899 
+++ b/src/image.cpp
cc1899 
@@ -399,7 +399,13 @@ namespace Exiv2 {
cc1899 
                                 ;
cc1899
cc1899 
                 // if ( offset > io.size() ) offset = 0; // Denial of service?
cc1899 
-                DataBuf  buf(size*count + pad+20);  // allocate a buffer
cc1899 
+
cc1899 
+                // #55 memory allocation crash test/data/POC8
cc1899 
+                long long allocate = (long long) size*count + pad+20;
cc1899 
+                if ( allocate > (long long) io.size() ) {
cc1899 
+                    throw Error(57);
cc1899 
+                }
cc1899 
+                DataBuf  buf(allocate);  // allocate a buffer
cc1899 
                 std::memcpy(buf.pData_,dir.pData_+8,4);  // copy dir[8:11] into buffer (short strings)
cc1899 
                 if ( count*size > 4 ) {            // read into buffer
cc1899 
                     size_t   restore = io.tell();  // save

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation