Blame SOURCES/exiv2-CVE-2021-37618.patch
|
|
c13fd3 |
From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
|
|
|
c13fd3 |
From: Kevin Backhouse <kevinbackhouse@github.com>
|
|
|
c13fd3 |
Date: Mon, 5 Jul 2021 10:40:03 +0100
|
|
|
c13fd3 |
Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
|
|
|
c13fd3 |
|
|
|
c13fd3 |
---
|
|
|
c13fd3 |
src/jp2image.cpp | 2 ++
|
|
|
c13fd3 |
1 file changed, 2 insertions(+)
|
|
|
c13fd3 |
|
|
|
c13fd3 |
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
|
|
c13fd3 |
index 3bf356629..2d6dc2118 100644
|
|
|
c13fd3 |
--- a/src/jp2image.cpp
|
|
|
c13fd3 |
+++ b/src/jp2image.cpp
|
|
|
c13fd3 |
@@ -538,6 +538,7 @@ static void boxes_check(size_t b,size_t m)
|
|
|
c13fd3 |
|
|
|
c13fd3 |
if (subBox.type == kJp2BoxTypeColorHeader) {
|
|
|
c13fd3 |
long pad = 3; // don't know why there are 3 padding bytes
|
|
|
c13fd3 |
+ enforce(data.size_ >= pad, kerCorruptedMetadata);
|
|
|
c13fd3 |
if (bPrint) {
|
|
|
c13fd3 |
out << " | pad:";
|
|
|
c13fd3 |
for (int i = 0; i < 3; i++)
|
|
|
c13fd3 |
@@ -547,6 +548,7 @@ static void boxes_check(size_t b,size_t m)
|
|
|
c13fd3 |
if (bPrint) {
|
|
|
c13fd3 |
out << " | iccLength:" << iccLength;
|
|
|
c13fd3 |
}
|
|
|
c13fd3 |
+ enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
|
|
|
c13fd3 |
if (bICC) {
|
|
|
c13fd3 |
out.write((const char*)data.pData_ + pad, iccLength);
|
|
|
c13fd3 |
}
|