Prevent SIGABRT on excessive subBox length in jp2image.cpp

This fixes CVE-2018-9145
7 years ago · c03f73268f
parent af44cec65f
commit c03f73268f
3 changed files with 30 additions and 0 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -503,6 +503,10 @@ namespace Exiv2
                            subBox.length = getLong((byte*)&subBox.length, bigEndian);
                            subBox.type   = getLong((byte*)&subBox.type, bigEndian);

+                            // subBox.length makes no sense if it is larger than the rest of the file
+                            if (subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
                            DataBuf data(subBox.length-sizeof(box));
                            io_->read(data.pData_,data.size_);
                            if ( bPrint ) {
--- a/test/data/4-DataBuf-abort-1
+++ b/test/data/4-DataBuf-abort-1
--- a/tests/bugfixes/github/test_CVE_2018_9145.py
+++ b/tests/bugfixes/github/test_CVE_2018_9145.py
@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class SubBoxLengthDataBufAbort(metaclass=system_tests.CaseMeta):
+
+    url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9145"
+
+    filename = system_tests.path(
+        "$data_path/4-DataBuf-abort-1"
+    )
+    commands = ["$exiv2 -pR $filename"]
+    stdout = [
+        """STRUCTURE OF JPEG2000 FILE: $filename
+ address |   length | box       | data
+       0 |       12 | jP        | 
+      12 |       20 | jp2h      | 
+"""
+    ]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""
+    ]
+    retval = [1]