xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2017-1000126

Browse Source 
CVE-2017-1000126 is a Stack out of bounds read in the WebP parser caused by the
parameter size & filesize being too large, causing the parser to land in an
infinite loop and eventually crash. Enforcing that the size over which the
parser iterates is smaller than the file fixes this issue.

This fixes #175.
v0.27.3
Dan Čermák 7 years ago
parent 49db96cd58
commit 3c20cc06a9
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File

8
src/webpimage.cpp
Unescape Escape View File

@ -32,6 +32,7 @@
#include "webpimage.hpp" #include "webpimage.hpp"
#include "image_int.hpp" #include "image_int.hpp"
#include "enforce.hpp"
#include "futils.hpp" #include "futils.hpp"
#include "basicio.hpp" #include "basicio.hpp"
#include "tags.hpp" #include "tags.hpp"
@ -490,7 +491,9 @@ namespace Exiv2 {
io_->read(data, WEBP_TAG_SIZE * 3); io_->read(data, WEBP_TAG_SIZE * 3);
WebPImage::decodeChunks(Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8); const uint32_t filesize = Exiv2::getULong(data + WEBP_TAG_SIZE, littleEndian) + 8;
enforce(filesize <= io_->size(), Exiv2::kerCorruptedMetadata);
WebPImage::decodeChunks(filesize);
} // WebPImage::readMetadata } // WebPImage::readMetadata
@ -508,7 +511,8 @@ namespace Exiv2 {
while ( !io_->eof() && (uint64_t) io_->tell() < filesize) { while ( !io_->eof() && (uint64_t) io_->tell() < filesize) {
io_->read(chunkId.pData_, WEBP_TAG_SIZE); io_->read(chunkId.pData_, WEBP_TAG_SIZE);
io_->read(size_buff, WEBP_TAG_SIZE); io_->read(size_buff, WEBP_TAG_SIZE);
long size = Exiv2::getULong(size_buff, littleEndian); const uint32_t size = Exiv2::getULong(size_buff, littleEndian);
enforce(size <= (filesize - io_->tell()), Exiv2::kerCorruptedMetadata);
DataBuf payload(size); DataBuf payload(size);

Write Preview
Loading…
Cancel
Save