From 2af96394e378153c3608785398cebf51d6421438 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 09 2021 18:19:33 +0000
Subject: import compat-exiv2-026-0.26-5.el8


---

diff --git a/SOURCES/exiv2-CVE-2021-31291.patch b/SOURCES/exiv2-CVE-2021-31291.patch
new file mode 100644
index 0000000..749d573
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-31291.patch
@@ -0,0 +1,26 @@
+From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
+From: Pydera <pydera@mailbox.org>
+Date: Thu, 8 Apr 2021 17:36:16 +0200
+Subject: [PATCH] Fix out of buffer access in #1529
+
+---
+ src/jp2image.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 1892fd4..01a21f2 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -737,9 +737,10 @@ namespace Exiv2
+ #endif
+                 box.length = io_->size() - io_->tell() + 8;
+             }
+-            if (box.length == 1)
++            if (box.length < 8)
+             {
+-                // FIXME. Special case. the real box size is given in another place.
++                // box is broken, so there is nothing we can do here
++                throw Error(kerCorruptedMetadata);
+             }
+
+             // Read whole box : Box header + Box data (not fixed size - can be null).
diff --git a/SOURCES/exiv2-CVE-2021-31292.patch b/SOURCES/exiv2-CVE-2021-31292.patch
new file mode 100644
index 0000000..09f2199
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-31292.patch
@@ -0,0 +1,26 @@
+From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 9 Apr 2021 13:37:48 +0100
+Subject: [PATCH] Fix integer overflow.
+
+---
+ src/crwimage.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/crwimage.cpp b/src/crwimage.cpp
+index ca79aa7..cd6200c 100644
+--- a/src/crwimage.cpp
++++ b/src/crwimage.cpp
+@@ -1326,7 +1326,11 @@ namespace Exiv2 {
+                                                  pCrwMapping->crwDir_);
+         if (edX != edEnd || edY != edEnd || edO != edEnd) {
+             uint32_t size = 28;
+-            if (cc && cc->size() > size) size = cc->size();
++            if (cc) {
++              if (cc->size() < size)
++                throw Error(kerCorruptedMetadata);
++              size = cc->size();
++            }
+             DataBuf buf(size);
+             std::memset(buf.pData_, 0x0, buf.size_);
+             if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
diff --git a/SPECS/compat-exiv2-026.spec b/SPECS/compat-exiv2-026.spec
index 6dbf115..757143c 100644
--- a/SPECS/compat-exiv2-026.spec
+++ b/SPECS/compat-exiv2-026.spec
@@ -1,6 +1,6 @@
 Name:    compat-exiv2-026
 Version: 0.26
-Release: 3%{?dist}
+Release: 5%{?dist}
 Summary: Compatibility package with the exiv2 library in version 0.26
 
 License: GPLv2+
@@ -32,6 +32,8 @@ Patch24: exiv2-CVE-2018-5772.patch
 Patch25: exiv2-CVE-2018-8976.patch
 Patch26: exiv2-CVE-2018-8977.patch
 Patch27: exiv2-CVE-2018-16336.patch
+Patch28: exiv2-CVE-2021-31291.patch
+Patch29: exiv2-CVE-2021-31292.patch
 
 ## upstreamable patches
 
@@ -96,6 +98,13 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-11
+- Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
+  Resolves: bz#1990398
+
+- Integer overflow in CrwMap:encode0x1810 leading to heap-based buffer overflow and DoS
+  Resolves: bz#1990399
+
 * Thu Nov 21 2019 Jan Grulich <jgrulich@redhat.com> - 0.26-3
 - Remove pre-built msvc binaries
   Resolves: bz#1757349