rpms / compat-exiv2-026

Clone
Source Code
GIT

Blame SOURCES/exiv2-CVE-2018-11531.patch

c7 c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s
  1.   4e712471db065a33592a24f96a633eeddaf06bd9
  2.   SOURCES
  3.   exiv2-CVE-2018-11531.patch
Blob History Raw
3f58c5 
diff --git a/src/preview.cpp b/src/preview.cpp
3f58c5 
index c34c8bd..69f8e01 100644
3f58c5 
--- a/src/preview.cpp
3f58c5 
+++ b/src/preview.cpp
3f58c5 
@@ -36,6 +36,7 @@ EXIV2_RCSID("@(#) $Id$")
3f58c5
3f58c5 
 #include "preview.hpp"
3f58c5 
 #include "futils.hpp"
3f58c5 
+#include "enforce.hpp"
3f58c5
3f58c5 
 #include "image.hpp"
3f58c5 
 #include "cr2image.hpp"
3f58c5 
@@ -807,13 +808,14 @@ namespace {
3f58c5 
                 else {
3f58c5 
                     // FIXME: the buffer is probably copied twice, it should be optimized
3f58c5 
                     DataBuf buf(size_);
3f58c5 
-                    Exiv2::byte* pos = buf.pData_;
3f58c5 
+                    uint32_t idxBuf = 0;
3f58c5 
                     for (int i = 0; i < sizes.count(); i++) {
3f58c5 
                         uint32_t offset = dataValue.toLong(i);
3f58c5 
                         uint32_t size = sizes.toLong(i);
3f58c5 
-                        if (offset + size <= static_cast<uint32_t>(io.size()))
3f58c5 
-                            memcpy(pos, base + offset, size);
3f58c5 
-                        pos += size;
3f58c5 
+                        enforce(idxBuf + size < size_, kerCorruptedMetadata);
3f58c5 
+                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
3f58c5 
+                            memcpy(&buf.pData_[idxBuf], base + offset, size);
3f58c5 
+                        idxBuf += size;
3f58c5 
                     }
3f58c5 
                     dataValue.setDataArea(buf.pData_, buf.size_);
3f58c5 
                 }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation