From 3c20cc06a9ede4e277a9efe94e211c20ceb0ce8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 26 Mar 2018 00:34:25 +0200
Subject: [PATCH] Fix CVE-2017-1000126

CVE-2017-1000126 is a Stack out of bounds read in the WebP parser caused by the
parameter size & filesize being too large, causing the parser to land in an
infinite loop and eventually crash. Enforcing that the size over which the
parser iterates is smaller than the file fixes this issue.

This fixes #175.
---
 src/webpimage.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index 7aae52b8..7a8c0b28 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -32,6 +32,7 @@
 
 #include "webpimage.hpp"
 #include "image_int.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "basicio.hpp"
 #include "tags.hpp"
@@ -490,7 +491,9 @@ namespace Exiv2 {
 
         io_->read(data, WEBP_TAG_SIZE * 3);
 
-        WebPImage::decodeChunks(Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8);
+        const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8;
+        enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata);
+        WebPImage::decodeChunks(filesize);
 
     } // WebPImage::readMetadata
 
@@ -508,7 +511,8 @@ namespace Exiv2 {
         while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
             io_->read(chunkId.pData_, WEBP_TAG_SIZE);
             io_->read(size_buff, WEBP_TAG_SIZE);
-            long size = Exiv2::getULong(size_buff, littleEndian);
+            const uint32_t size = Exiv2::getULong(size_buff, littleEndian);
+            enforce(size <= (filesize - io_->tell()), Exiv2::kerCorruptedMetadata);
 
             DataBuf payload(size);