From c03f73268f65c73f9d3d7b670f13e48e92692750 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roberto=20C=2E=20S=C3=A1nchez?= <roberto@connexer.com>
Date: Tue, 9 Oct 2018 23:51:10 -0400
Subject: [PATCH] Prevent SIGABRT on excessive subBox length in jp2image.cpp

This fixes CVE-2018-9145
---
 src/jp2image.cpp                            |   4 +++
 test/data/4-DataBuf-abort-1                 | Bin 0 -> 84 bytes
 tests/bugfixes/github/test_CVE_2018_9145.py |  26 ++++++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 test/data/4-DataBuf-abort-1
 create mode 100644 tests/bugfixes/github/test_CVE_2018_9145.py

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 03f03ea3..640e59ef 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -503,6 +503,10 @@ namespace Exiv2
                             subBox.length = getLong((byte*)&subBox.length, bigEndian);
                             subBox.type   = getLong((byte*)&subBox.type, bigEndian);
 
+                            // subBox.length makes no sense if it is larger than the rest of the file
+                            if (subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
                             DataBuf data(subBox.length-sizeof(box));
                             io_->read(data.pData_,data.size_);
                             if ( bPrint ) {
diff --git a/test/data/4-DataBuf-abort-1 b/test/data/4-DataBuf-abort-1
new file mode 100644
index 0000000000000000000000000000000000000000..7fafefcffc0bed9779ff0cd702eae71fdb1ad391
GIT binary patch
literal 84
zcmZQzVBpCLP*C9IYUg5LU=YbFFv<X81&06i|Nnz%1_oV_7?5Vm%t$E$(u`ot%+Aih
a@c;k+zsdPIMT`u||NZ|5GUx-P7#ILP-xS>d

literal 0
HcmV?d00001

diff --git a/tests/bugfixes/github/test_CVE_2018_9145.py b/tests/bugfixes/github/test_CVE_2018_9145.py
new file mode 100644
index 00000000..9fc541be
--- /dev/null
+++ b/tests/bugfixes/github/test_CVE_2018_9145.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class SubBoxLengthDataBufAbort(metaclass=system_tests.CaseMeta):
+
+    url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9145"
+
+    filename = system_tests.path(
+        "$data_path/4-DataBuf-abort-1"
+    )
+    commands = ["$exiv2 -pR $filename"]
+    stdout = [
+        """STRUCTURE OF JPEG2000 FILE: $filename
+ address |   length | box       | data
+       0 |       12 | jP        | 
+      12 |       20 | jp2h      | 
+"""
+    ]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""
+    ]
+    retval = [1]