summaryrefslogtreecommitdiff
path: root/user/exiv2/CVE-2019-17402.patch
blob: f54b511b03c11fcee713a7fa9ecb3859150777fb (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From 683451567284005cd24e1ccb0a76ca401000968b Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH 1/2] crwimage: Check offset and size against total size

Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes #1019
---
 src/crwimage_int.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 2474baace..3315b86d7 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -270,6 +270,9 @@ namespace Exiv2 {
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(kerOffsetOutOfRange);
+
         readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "<---- 0x" << std::hex << tag() << "\n";

From 73b874fb14d02578f876aa7dd404cf7c07b6dc4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 7 Oct 2019 23:25:00 +0200
Subject: [PATCH 2/2] [tests] Add regression test for #1019

---
 test/data/POC-file_issue_1019            | Bin 0 -> 10078 bytes
 tests/bugfixes/github/test_issue_1019.py |  14 ++++++++++++++
 tests/suite.conf                         |   1 +
 3 files changed, 15 insertions(+)
 create mode 100755 test/data/POC-file_issue_1019
 create mode 100644 tests/bugfixes/github/test_issue_1019.py

diff --git a/tests/bugfixes/github/test_issue_1019.py b/tests/bugfixes/github/test_issue_1019.py
new file mode 100644
index 000000000..c2682f901
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_1019.py
@@ -0,0 +1,14 @@
+from system_tests import CaseMeta, path
+
+
+class OverreadInCiffDirectoryReadDirectory(metaclass=CaseMeta):
+
+    filename = path("$data_path/POC-file_issue_1019")
+    commands = ["$exiv2 -pv $filename"]
+    stdout = [""]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerOffsetOutOfRange
+"""
+    ]
+    retval = [1]
diff --git a/tests/suite.conf b/tests/suite.conf
index 5b31930c1..dab7427b3 100644
--- a/tests/suite.conf
+++ b/tests/suite.conf
@@ -19,6 +19,7 @@ largeiptc_test: ${ENV:exiv2_path}/largeiptc-test${ENV:binary_extension}
 easyaccess_test: ${ENV:exiv2_path}/easyaccess-test${ENV:binary_extension}
 
 [variables]
+kerOffsetOutOfRange: Offset out of range
 kerFailedToReadImageData: Failed to read image data
 kerCorruptedMetadata: corrupted image metadata
 kerInvalidMalloc: invalid memory allocation request