diff options
Diffstat (limited to 'user/exiv2/CVE-2019-20421.patch')
| -rw-r--r-- | user/exiv2/CVE-2019-20421.patch | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/user/exiv2/CVE-2019-20421.patch b/user/exiv2/CVE-2019-20421.patch deleted file mode 100644 index bdc5449f2..000000000 --- a/user/exiv2/CVE-2019-20421.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001 -From: clanmills <robin@clanmills.com> -Date: Tue, 1 Oct 2019 17:39:44 +0100 -Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop - ---- - src/jp2image.cpp | 25 +++++++++++++++---- - tests/bugfixes/github/test_CVE_2017_17725.py | 4 +-- - tests/bugfixes/github/test_issue_1011.py | 13 ++++++++++ - 4 files changed, 35 insertions(+), 7 deletions(-) - create mode 100755 test/data/Jp2Image_readMetadata_loop.poc - create mode 100644 tests/bugfixes/github/test_issue_1011.py - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index d5cd1340a..0de088d62 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -18,10 +18,6 @@ - * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA. - */ - --/* -- File: jp2image.cpp --*/ -- - // ***************************************************************************** - - // included header files -@@ -197,6 +193,16 @@ namespace Exiv2 - return result; - } - -+static void boxes_check(size_t b,size_t m) -+{ -+ if ( b > m ) { -+#ifdef EXIV2_DEBUG_MESSAGES -+ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl; -+#endif -+ throw Error(kerCorruptedMetadata); -+ } -+} -+ - void Jp2Image::readMetadata() - { - #ifdef EXIV2_DEBUG_MESSAGES -@@ -219,9 +225,12 @@ namespace Exiv2 - Jp2BoxHeader subBox = {0,0}; - Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0}; - Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; -+ size_t boxes = 0 ; -+ size_t boxem = 1000 ; // boxes max - - while (io_->read((byte*)&box, sizeof(box)) == sizeof(box)) - { -+ boxes_check(boxes++,boxem ); - position = io_->tell(); - box.length = getLong((byte*)&box.length, bigEndian); - box.type = getLong((byte*)&box.type, bigEndian); -@@ -251,8 +260,12 @@ namespace Exiv2 - - while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length ) - { -+ boxes_check(boxes++, boxem) ; - subBox.length = getLong((byte*)&subBox.length, bigEndian); - subBox.type = getLong((byte*)&subBox.type, bigEndian); -+ if (subBox.length > io_->size() ) { -+ throw Error(kerCorruptedMetadata); -+ } - #ifdef EXIV2_DEBUG_MESSAGES - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl; -@@ -308,7 +321,9 @@ namespace Exiv2 - } - - io_->seek(restore,BasicIo::beg); -- io_->seek(subBox.length, Exiv2::BasicIo::cur); -+ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) { -+ throw Error(kerCorruptedMetadata); -+ } - restore = io_->tell(); - } - break; -diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py -index 1127b9806..670a75d8d 100644 ---- a/tests/bugfixes/github/test_CVE_2017_17725.py -+++ b/tests/bugfixes/github/test_CVE_2017_17725.py -@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta): - filename = "$data_path/poc_2017-12-12_issue188" - commands = ["$exiv2 " + filename] - stdout = [""] -- stderr = ["""$exiv2_overflow_exception_message """ + filename + """: --$addition_overflow_message -+ stderr = ["""$exiv2_exception_message """ + filename + """: -+$kerCorruptedMetadata - """] - retval = [1] -diff --git a/tests/bugfixes/github/test_issue_1011.py b/tests/bugfixes/github/test_issue_1011.py -new file mode 100644 -index 000000000..415861188 ---- /dev/null -+++ b/tests/bugfixes/github/test_issue_1011.py -@@ -0,0 +1,13 @@ -+# -*- coding: utf-8 -*- -+ -+from system_tests import CaseMeta, path -+ -+class Test_issue_1011(metaclass=CaseMeta): -+ -+ filename = path("$data_path/Jp2Image_readMetadata_loop.poc") -+ commands = ["$exiv2 " + filename] -+ stdout = [""] -+ stderr = ["""$exiv2_exception_message """ + filename + """: -+$kerCorruptedMetadata -+"""] -+ retval = [1] -\ No newline at end of file |