Merge pull request #108 from D4N/fix_CVE-2017-14860

Fix CVE-2017-14860

src/error.cpp

@@ -109,6 +109,7 @@ namespace {
         { 55, N_("tiff directory length is too large") },
         { 56, N_("invalid type value detected in Image::printIFDStructure") },
         { 57, N_("invalid memory allocation request") },
+        { 58, N_("corrupted image metadata") },
     };
 
 }

src/jp2image.cpp

@@ -269,10 +269,15 @@ namespace Exiv2
                             std::cout << "Exiv2::Jp2Image::readMetadata: "
                                      << "Color data found" << std::endl;
 #endif
-                            long pad = 3 ; // 3 padding bytes 2 0 0
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
                             DataBuf data(subBox.length+8);
                             io_->read(data.pData_,data.size_);
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            // subtracting pad from data.size_ is safe:
+                            // size_ is at least 8 and pad = 3
+                            if (iccLength > data.size_ - pad) {
+                                throw Error(58);
+			    }
                             DataBuf icc(iccLength);
                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
 #ifdef DEBUG

test/bugfixes-test.sh

@@ -730,6 +730,13 @@ source ./functions.source
     copyTestFile                      $filename
     runTest exiv2                     $filename
 
+    num=g71
+    printf "$num " >&3
+    filename=003-heap-buffer-over
+    echo '------>' Bug $filename '<-------' >&2
+    copyTestFile                      $filename
+    runTest exiv2                     $filename
+
 ) 3>&1 > $results 2>&1
 
 printf "\n"