gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch

   1 Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864.
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
   4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
   5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
   6
   7 Copied from upstream:
   8
   9 https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607
  10
  11 From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001
  12 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
  13 Date: Sat, 7 Oct 2017 23:08:36 +0200
  14 Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859
  15
  16 The invalid memory dereference in
  17 Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
  18 is caused further up the call-stack, by
  19 v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
  20 passing an invalid pData pointer (pData points outside of the Tiff
  21 file). pData can be set out of bounds in the (size > 4) branch where
  22 baseOffset() and offset are added to pData_ without checking whether
  23 the result is still in the file. As offset comes from an untrusted
  24 source, an attacker can craft an arbitrarily large offset into the
  25 file.
  26
  27 This commit adds a check into the problematic branch, whether the
  28 result of the addition would be out of bounds of the Tiff
  29 file. Furthermore the whole operation is checked for possible
  30 overflows.
  31 ---
  32  src/tiffvisitor.cpp | 13 +++++++++++++
  33  1 file changed, 13 insertions(+)
  34
  35 diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
  36 index 4ab733d4..ef13542e 100644
  37 --- a/src/tiffvisitor.cpp
  38 +++ b/src/tiffvisitor.cpp
  39 @@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
  40  #include <iostream>
  41  #include <iomanip>
  42  #include <cassert>
  43 +#include <limits>
  44
  45  // *****************************************************************************
  46  namespace {
  47 @@ -1517,7 +1518,19 @@ namespace Exiv2 {
  48                  size = 0;
  49          }
  50          if (size > 4) {
  51 +            // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
  52 +            // as offset can be arbitrarily large
  53 +            if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
  54 +             || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
  55 +            {
  56 +                throw Error(59);
  57 +            }
  58 +            if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
  59 +                throw Error(58);
  60 +            }
  61              pData = const_cast<byte*>(pData_) + baseOffset() + offset;
  62 +
  63 +           // check for size being invalid
  64              if (size > static_cast<uint32_t>(pLast_ - pData)) {
  65  #ifndef SUPPRESS_WARNINGS
  66                  EXV_ERROR << "Upper boundary of data for "