From b1cf58a388a2e50046539ab680567ee15768bf75 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Sat, 8 Dec 2018 17:30:59 +0000 Subject: user/exiv2: fix CVE-2018-19535 --- user/exiv2/CVE-2018-19535.patch | 239 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 user/exiv2/CVE-2018-19535.patch (limited to 'user/exiv2/CVE-2018-19535.patch') diff --git a/user/exiv2/CVE-2018-19535.patch b/user/exiv2/CVE-2018-19535.patch new file mode 100644 index 000000000..ba9355012 --- /dev/null +++ b/user/exiv2/CVE-2018-19535.patch @@ -0,0 +1,239 @@ +From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= +Date: Sun, 2 Sep 2018 14:39:52 +0200 +Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile + +- Now it takes into account text.size_ when searching for a newline +char. +--- + src/pngchunk.cpp | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 58281b3ff..755872c94 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -629,11 +629,19 @@ namespace Exiv2 { + + + sp = (char*)text.pData_+1; ++ int pointerPos = 1; + + // Look for newline +- +- while (*sp != '\n') ++ while (*sp != '\n' && pointerPos < (text.size_ - 1)) ++ { + sp++; ++ pointerPos++; ++ } ++ ++ if (pointerPos == (text.size_ - 1)) ++ { ++ return DataBuf(); ++ } + + // Look for length + + +From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= +Date: Mon, 3 Sep 2018 08:51:08 +0200 +Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile + +--- + src/pngchunk.cpp | 36 +++++++++++++----------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 755872c94..9b3faf1aa 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -606,11 +606,6 @@ namespace Exiv2 { + DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt) + { + DataBuf info; +- register long i; +- register unsigned char *dp; +- const char *sp; +- unsigned int nibbles; +- long length; + unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, +@@ -627,8 +622,7 @@ namespace Exiv2 { + return info; + } + +- +- sp = (char*)text.pData_+1; ++ const char *sp = (char*)text.pData_+1; + int pointerPos = 1; + + // Look for newline +@@ -638,20 +632,30 @@ namespace Exiv2 { + pointerPos++; + } + ++ // Look for length ++ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) ++ { ++ sp++; ++ pointerPos++; ++ } ++ + if (pointerPos == (text.size_ - 1)) + { + return DataBuf(); + } + +- // Look for length ++ long length = (long) atol(sp); + +- while (*sp == '\0' || *sp == ' ' || *sp == '\n') ++ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) ++ { + sp++; ++ pointerPos++; ++ } + +- length = (long) atol(sp); +- +- while (*sp != ' ' && *sp != '\n') +- sp++; ++ if (pointerPos == (text.size_ - 1)) ++ { ++ return DataBuf(); ++ } + + // Allocate space + +@@ -674,10 +678,10 @@ namespace Exiv2 { + + // Copy profile, skipping white space and column 1 "=" signs + +- dp = (unsigned char*)info.pData_; +- nibbles = length * 2; ++ unsigned char *dp = (unsigned char*)info.pData_; ++ unsigned int nibbles = length * 2; + +- for (i = 0; i < (long) nibbles; i++) ++ for (long i = 0; i < (long) nibbles; i++) + { + while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') + { + +From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001 +From: Robin Mills +Date: Mon, 10 Sep 2018 20:54:53 +0200 +Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile + +--- + src/pngchunk.cpp | 55 ++++++++++++++++++++++---------------------- + 1 file changed, 27 insertions(+), 28 deletions(-) + +diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp +index 9b3faf1aa..f81b560aa 100644 +--- a/src/pngchunk.cpp ++++ b/src/pngchunk.cpp +@@ -607,11 +607,11 @@ namespace Exiv2 { + { + DataBuf info; + unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, +- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, +- 13,14,15}; ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, ++ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, ++ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, ++ 13,14,15}; + if (text.size_ == 0) { + return DataBuf(); + } +@@ -622,52 +622,51 @@ namespace Exiv2 { + return info; + } + +- const char *sp = (char*)text.pData_+1; +- int pointerPos = 1; ++ const char *sp = (char*) text.pData_+1; // current byte (space pointer) ++ const char *eot = (char*) text.pData_+text.size_; // end of text + + // Look for newline +- while (*sp != '\n' && pointerPos < (text.size_ - 1)) ++ while (*sp != '\n' && sp < eot ) + { + sp++; +- pointerPos++; ++ if ( sp == eot ) ++ { ++ return DataBuf(); ++ } + } ++ sp++ ; // step over '\n' + + // Look for length +- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) ++ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot ) + { + sp++; +- pointerPos++; +- } +- +- if (pointerPos == (text.size_ - 1)) +- { +- return DataBuf(); ++ if (sp == eot ) ++ { ++ return DataBuf(); ++ } + } + +- long length = (long) atol(sp); +- +- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) ++ const char* startOfLength = sp; ++ while ( ('0' <= *sp && *sp <= '9') && sp < eot) + { + sp++; +- pointerPos++; ++ if (sp == eot ) ++ { ++ return DataBuf(); ++ } + } ++ sp++ ; // step over '\n' + +- if (pointerPos == (text.size_ - 1)) +- { +- return DataBuf(); +- } ++ long length = (long) atol(startOfLength); + + // Allocate space +- + if (length == 0) + { + #ifdef DEBUG + std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n"; + #endif + } +- + info.alloc(length); +- + if (info.size_ != length) + { + #ifdef DEBUG +@@ -678,7 +677,7 @@ namespace Exiv2 { + + // Copy profile, skipping white space and column 1 "=" signs + +- unsigned char *dp = (unsigned char*)info.pData_; ++ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer + unsigned int nibbles = length * 2; + + for (long i = 0; i < (long) nibbles; i++) + -- cgit v1.2.3-70-g09d2