summaryrefslogtreecommitdiff
path: root/user/exiv2/CVE-2018-19535.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/exiv2/CVE-2018-19535.patch')
-rw-r--r--user/exiv2/CVE-2018-19535.patch239
1 files changed, 239 insertions, 0 deletions
diff --git a/user/exiv2/CVE-2018-19535.patch b/user/exiv2/CVE-2018-19535.patch
new file mode 100644
index 000000000..ba9355012
--- /dev/null
+++ b/user/exiv2/CVE-2018-19535.patch
@@ -0,0 +1,239 @@
+From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
+Date: Sun, 2 Sep 2018 14:39:52 +0200
+Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile
+
+- Now it takes into account text.size_ when searching for a newline
+char.
+---
+ src/pngchunk.cpp | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 58281b3ff..755872c94 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -629,11 +629,19 @@ namespace Exiv2 {
+
+
+ sp = (char*)text.pData_+1;
++ int pointerPos = 1;
+
+ // Look for newline
+-
+- while (*sp != '\n')
++ while (*sp != '\n' && pointerPos < (text.size_ - 1))
++ {
+ sp++;
++ pointerPos++;
++ }
++
++ if (pointerPos == (text.size_ - 1))
++ {
++ return DataBuf();
++ }
+
+ // Look for length
+
+
+From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
+Date: Mon, 3 Sep 2018 08:51:08 +0200
+Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile
+
+---
+ src/pngchunk.cpp | 36 +++++++++++++-----------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 755872c94..9b3faf1aa 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -606,11 +606,6 @@ namespace Exiv2 {
+ DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
+ {
+ DataBuf info;
+- register long i;
+- register unsigned char *dp;
+- const char *sp;
+- unsigned int nibbles;
+- long length;
+ unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+@@ -627,8 +622,7 @@ namespace Exiv2 {
+ return info;
+ }
+
+-
+- sp = (char*)text.pData_+1;
++ const char *sp = (char*)text.pData_+1;
+ int pointerPos = 1;
+
+ // Look for newline
+@@ -638,20 +632,30 @@ namespace Exiv2 {
+ pointerPos++;
+ }
+
++ // Look for length
++ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
++ {
++ sp++;
++ pointerPos++;
++ }
++
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
+
+- // Look for length
++ long length = (long) atol(sp);
+
+- while (*sp == '\0' || *sp == ' ' || *sp == '\n')
++ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
++ {
+ sp++;
++ pointerPos++;
++ }
+
+- length = (long) atol(sp);
+-
+- while (*sp != ' ' && *sp != '\n')
+- sp++;
++ if (pointerPos == (text.size_ - 1))
++ {
++ return DataBuf();
++ }
+
+ // Allocate space
+
+@@ -674,10 +678,10 @@ namespace Exiv2 {
+
+ // Copy profile, skipping white space and column 1 "=" signs
+
+- dp = (unsigned char*)info.pData_;
+- nibbles = length * 2;
++ unsigned char *dp = (unsigned char*)info.pData_;
++ unsigned int nibbles = length * 2;
+
+- for (i = 0; i < (long) nibbles; i++)
++ for (long i = 0; i < (long) nibbles; i++)
+ {
+ while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
+ {
+
+From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001
+From: Robin Mills <robin@clanmills.com>
+Date: Mon, 10 Sep 2018 20:54:53 +0200
+Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile
+
+---
+ src/pngchunk.cpp | 55 ++++++++++++++++++++++----------------------
+ 1 file changed, 27 insertions(+), 28 deletions(-)
+
+diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
+index 9b3faf1aa..f81b560aa 100644
+--- a/src/pngchunk.cpp
++++ b/src/pngchunk.cpp
+@@ -607,11 +607,11 @@ namespace Exiv2 {
+ {
+ DataBuf info;
+ unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
+- 13,14,15};
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
++ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
++ 13,14,15};
+ if (text.size_ == 0) {
+ return DataBuf();
+ }
+@@ -622,52 +622,51 @@ namespace Exiv2 {
+ return info;
+ }
+
+- const char *sp = (char*)text.pData_+1;
+- int pointerPos = 1;
++ const char *sp = (char*) text.pData_+1; // current byte (space pointer)
++ const char *eot = (char*) text.pData_+text.size_; // end of text
+
+ // Look for newline
+- while (*sp != '\n' && pointerPos < (text.size_ - 1))
++ while (*sp != '\n' && sp < eot )
+ {
+ sp++;
+- pointerPos++;
++ if ( sp == eot )
++ {
++ return DataBuf();
++ }
+ }
++ sp++ ; // step over '\n'
+
+ // Look for length
+- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
++ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
+ {
+ sp++;
+- pointerPos++;
+- }
+-
+- if (pointerPos == (text.size_ - 1))
+- {
+- return DataBuf();
++ if (sp == eot )
++ {
++ return DataBuf();
++ }
+ }
+
+- long length = (long) atol(sp);
+-
+- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
++ const char* startOfLength = sp;
++ while ( ('0' <= *sp && *sp <= '9') && sp < eot)
+ {
+ sp++;
+- pointerPos++;
++ if (sp == eot )
++ {
++ return DataBuf();
++ }
+ }
++ sp++ ; // step over '\n'
+
+- if (pointerPos == (text.size_ - 1))
+- {
+- return DataBuf();
+- }
++ long length = (long) atol(startOfLength);
+
+ // Allocate space
+-
+ if (length == 0)
+ {
+ #ifdef DEBUG
+ std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n";
+ #endif
+ }
+-
+ info.alloc(length);
+-
+ if (info.size_ != length)
+ {
+ #ifdef DEBUG
+@@ -678,7 +677,7 @@ namespace Exiv2 {
+
+ // Copy profile, skipping white space and column 1 "=" signs
+
+- unsigned char *dp = (unsigned char*)info.pData_;
++ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer
+ unsigned int nibbles = length * 2;
+
+ for (long i = 0; i < (long) nibbles; i++)
+