[jackhill/guix/guix.git] / gnu / packages / patches / exiv2-CVE-2017-14860.patch

Fix CVE-2017-14860.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
https://nvd.nist.gov/vuln/detail/CVE-2017-14860

Copied from upstream:

https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce

From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Oct 2017 23:09:08 +0200
Subject: [PATCH] Fix for CVE-2017-14860

A heap buffer overflow could occur in memcpy when icc.size_ is larger
than data.size_ - pad, as then memcpy would read out of bounds of data.

This commit adds a sanity check to iccLength (= icc.size_): if it is
larger than data.size_ - pad (i.e. an overflow would be caused) an
exception is thrown.

This fixes #71.
---
 src/jp2image.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 747145cf..748d39b5 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -269,10 +269,15 @@ namespace Exiv2
                             std::cout << "Exiv2::Jp2Image::readMetadata: "
                                      << "Color data found" << std::endl;
 #endif
-                            long pad = 3 ; // 3 padding bytes 2 0 0
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
                             DataBuf data(subBox.length+8);
                             io_->read(data.pData_,data.size_);
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            // subtracting pad from data.size_ is safe:
+                            // size_ is at least 8 and pad = 3
+                            if (iccLength > data.size_ - pad) {
+                                throw Error(58);
+			    }
                             DataBuf icc(iccLength);
                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
 #ifdef DEBUG
Commit	Line	Data
4119376d MB	1	Fix CVE-2017-14860.
	2
	3	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
	4	https://nvd.nist.gov/vuln/detail/CVE-2017-14860
	5
	6	Copied from upstream:
	7
	8	https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
	9
	10	From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
	11	From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
	12	Date: Fri, 6 Oct 2017 23:09:08 +0200
	13	Subject: [PATCH] Fix for CVE-2017-14860
	14
	15	A heap buffer overflow could occur in memcpy when icc.size_ is larger
	16	than data.size_ - pad, as then memcpy would read out of bounds of data.
	17
	18	This commit adds a sanity check to iccLength (= icc.size_): if it is
	19	larger than data.size_ - pad (i.e. an overflow would be caused) an
	20	exception is thrown.
	21
	22	This fixes #71.
	23	---
	24	src/jp2image.cpp \| 9 +++++++--
	25	1 file changed, 7 insertions(+), 2 deletions(-)
	26
	27	diff --git a/src/jp2image.cpp b/src/jp2image.cpp
	28	index 747145cf..748d39b5 100644
	29	--- a/src/jp2image.cpp
	30	+++ b/src/jp2image.cpp
	31	@@ -269,10 +269,15 @@ namespace Exiv2
	32	std::cout << "Exiv2::Jp2Image::readMetadata: "
	33	<< "Color data found" << std::endl;
	34	#endif
	35	- long pad = 3 ; // 3 padding bytes 2 0 0
	36	+ const long pad = 3 ; // 3 padding bytes 2 0 0
	37	DataBuf data(subBox.length+8);
	38	io_->read(data.pData_,data.size_);
	39	- long iccLength = getULong(data.pData_+pad, bigEndian);
	40	+ const long iccLength = getULong(data.pData_+pad, bigEndian);
	41	+ // subtracting pad from data.size_ is safe:
	42	+ // size_ is at least 8 and pad = 3
	43	+ if (iccLength > data.size_ - pad) {
	44	+ throw Error(58);
	45	+ }
	46	DataBuf icc(iccLength);
	47	::memcpy(icc.pData_,data.pData_+pad,icc.size_);
	48	#ifdef DEBUG