|
 |
340e69 |
From 6ede8aa1975177705450abb816163f0b8d33a597 Mon Sep 17 00:00:00 2001
|
|
|
340e69 |
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
|
|
|
340e69 |
Date: Fri, 6 Oct 2017 23:09:08 +0200
|
|
|
340e69 |
Subject: Fix for CVE-2017-14860
|
|
|
340e69 |
|
|
|
340e69 |
A heap buffer overflow could occur in memcpy when icc.size_ is larger
|
|
|
340e69 |
than data.size_ - pad, as then memcpy would read out of bounds of data.
|
|
|
340e69 |
|
|
|
340e69 |
This commit adds a sanity check to iccLength (= icc.size_): if it is
|
|
|
340e69 |
larger than data.size_ - pad (i.e. an overflow would be caused) an
|
|
|
340e69 |
exception is thrown.
|
|
|
340e69 |
|
|
|
340e69 |
This fixes #71.
|
|
|
340e69 |
|
|
|
340e69 |
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
|
|
340e69 |
index 1892fd43..09d023e2 100644
|
|
|
340e69 |
--- a/src/jp2image.cpp
|
|
|
340e69 |
+++ b/src/jp2image.cpp
|
|
|
340e69 |
@@ -269,10 +269,15 @@ namespace Exiv2
|
|
|
340e69 |
std::cout << "Exiv2::Jp2Image::readMetadata: "
|
|
|
340e69 |
<< "Color data found" << std::endl;
|
|
|
340e69 |
#endif
|
|
|
340e69 |
- long pad = 3 ; // 3 padding bytes 2 0 0
|
|
|
340e69 |
+ const long pad = 3 ; // 3 padding bytes 2 0 0
|
|
|
340e69 |
DataBuf data(subBox.length+8);
|
|
|
340e69 |
io_->read(data.pData_,data.size_);
|
|
|
340e69 |
- long iccLength = getULong(data.pData_+pad, bigEndian);
|
|
|
340e69 |
+ const long iccLength = getULong(data.pData_+pad, bigEndian);
|
|
|
340e69 |
+ // subtracting pad from data.size_ is safe:
|
|
|
340e69 |
+ // size_ is at least 8 and pad = 3
|
|
|
340e69 |
+ if (iccLength > data.size_ - pad) {
|
|
|
340e69 |
+ throw Error(58);
|
|
|
340e69 |
+ }
|
|
|
340e69 |
DataBuf icc(iccLength);
|
|
|
340e69 |
::memcpy(icc.pData_,data.pData_+pad,icc.size_);
|
|
|
340e69 |
#ifdef DEBUG
|