Merge pull request #207 from D4N/fix_cve_2018_4868

Fix CVE-2018-4868
7 years ago · 9cddfa514d
parent 7f56236bb8 72de0f96f3
commit 9cddfa514d
3 changed files with 24 additions and 1 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -268,7 +268,12 @@ namespace Exiv2
 #endif

                            const long pad = 3 ; // 3 padding bytes 2 0 0
-                            DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
+			    const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
+			    // data_length makes no sense if it is larger than the rest of the file
+			    if (data_length > io_->size() - io_->tell()) {
+				throw Error(58);
+			    }
+                            DataBuf data(data_length);
                            io_->read(data.pData_,data.size_);
                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
                            // subtracting pad from data.size_ is safe:
--- a/test/data/exiv2-memorymmap-error
+++ b/test/data/exiv2-memorymmap-error
--- a/tests/bugfixes/github/test_CVE_2018_4868.py
+++ b/tests/bugfixes/github/test_CVE_2018_4868.py
@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class TestCvePoC(system_tests.Case):
+
+    url = "https://github.com/Exiv2/exiv2/issues/202"
+    cve_url = "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4868"
+    found_by = ["afl", "topsecLab", "xcainiao"]
+
+    filename = "{data_path}/exiv2-memorymmap-error"
+    commands = ["{exiv2} " + filename]
+    stdout = [""]
+    stderr = ["""{exiv2_exception_msg} """ + filename + """:
+{error_58_message}
+"""]
+    retval = [1]