From 65f45a350516bfde4941d7906f2d67462f48d1ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Oct 2017 23:08:01 +0200
Subject: [PATCH 1/3] Added new error message to warn about corrupted metadata

---
 src/error.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/error.cpp b/src/error.cpp
index e90a9c0a..f2edf4dd 100644
--- a/src/error.cpp
+++ b/src/error.cpp
@@ -109,6 +109,7 @@ namespace {
         { 55, N_("tiff directory length is too large") },
         { 56, N_("invalid type value detected in Image::printIFDStructure") },
         { 57, N_("invalid memory allocation request") },
+        { 58, N_("corrupted image metadata") },
     };
 
 }

From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Oct 2017 23:09:08 +0200
Subject: [PATCH 2/3] Fix for CVE-2017-14860

A heap buffer overflow could occur in memcpy when icc.size_ is larger
than data.size_ - pad, as then memcpy would read out of bounds of data.

This commit adds a sanity check to iccLength (= icc.size_): if it is
larger than data.size_ - pad (i.e. an overflow would be caused) an
exception is thrown.

This fixes #71.
---
 src/jp2image.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 747145cf..748d39b5 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -269,10 +269,15 @@ namespace Exiv2
                             std::cout << "Exiv2::Jp2Image::readMetadata: "
                                      << "Color data found" << std::endl;
 #endif
-                            long pad = 3 ; // 3 padding bytes 2 0 0
+                            const long pad = 3 ; // 3 padding bytes 2 0 0
                             DataBuf data(subBox.length+8);
                             io_->read(data.pData_,data.size_);
-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
+                            // subtracting pad from data.size_ is safe:
+                            // size_ is at least 8 and pad = 3
+                            if (iccLength > data.size_ - pad) {
+                                throw Error(58);
+			    }
                             DataBuf icc(iccLength);
                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
 #ifdef DEBUG

From c884a3b4bf538d872b6cc64590bd5aec90f85ad3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Oct 2017 23:11:39 +0200
Subject: [PATCH 3/3] Added the reproducer for CVE-2017-14860 to the test suite

---
 test/bugfixes-test.sh          |   7 +++++++
 test/data/003-heap-buffer-over | Bin 0 -> 7629 bytes
 test/data/bugfixes-test.out    | Bin 1933571 -> 1933701 bytes
 3 files changed, 7 insertions(+)
 create mode 100644 test/data/003-heap-buffer-over

diff --git a/test/bugfixes-test.sh b/test/bugfixes-test.sh
index 7d74d315..5d5d2afa 100755
--- a/test/bugfixes-test.sh
+++ b/test/bugfixes-test.sh
@@ -730,6 +730,13 @@ source ./functions.source
     copyTestFile                      $filename
     runTest exiv2                     $filename
 
+    num=g71
+    printf "$num " >&3
+    filename=003-heap-buffer-over
+    echo '------>' Bug $filename '<-------' >&2
+    copyTestFile                      $filename
+    runTest exiv2                     $filename
+
 ) 3>&1 > $results 2>&1
 
 printf "\n"
diff --git a/test/data/003-heap-buffer-over b/test/data/003-heap-buffer-over
new file mode 100644
index 0000000000000000000000000000000000000000..2c490f6051eb86bedc01cde2bb3e556014ce5886
GIT binary patch
literal 7629
zcmd^EId9ZJ6n-AtyUB_`E&>Dy3jz`@X%Y@aqKO1W5LX1EphTodA|xUzibz>ekaQ$l
z0TL(@5-k-i0=n=6s3_>E_yy*TJ@(k+8Q-xYVQI79``$g5?F|6zS(<CN`&w%)02rpy
z1z^yn<*5bKjVvzAKZ~kSd;Ia!Cn44b15GJ@4jTefYJ%@MX%JV>Y^FkZh?t%)8ZNF`
zeJsu({`qCXMc-HT{R+vuw;tY}dvIT+_PHRxPiVfCb_e0@3$L4L0`Shm12c$Etb0{s
zPjsB&4t9?hY&5~b4j48!ypCtl-r|@dHa3L~+2o_eY`QIXB%UL-yMk|ay<9d%?ctck
z@8y_fYjy2IY~<F_cct5OM|!Ub@RDOp?-gZiiQy(8Y=*GCWx0iXG2st<@Pe^vGeQ_e
zf7*VtV)R#^PQ^mF10@@{3XM*-Mfs$HD?z!7iVZawd}*>tCLFVh&Crsy2%jh%Y`aI`
z2I+wY>jC*DAz*XdOWHU&e_fvSsV($^RwF40&I1V+9RabpSo{W<hBxC4%r)w7PF$nG
zMnyb<HW=2e#vtD8(<T7%@vy#7sho<$I~Bz#5~iIrFGT_hpGyK3K(OkBy^e&1Y*@P)
zqwX_NaYv<lJo<E*Eak?vOlI_*DCsZURc$2R1%+#EXgN8PRrg7eTuu&cWN&5i({8}m
zncQWgI(MC%yFR(UzEry})B7AH#cxB`b9kqjc7%bvW3LL;u0^5p%hz}=Da0A2QgbSw
zj~gqfxDln3K6$_gg}=ulp8XN20^z$KW5okEeVLvP&~5^%o9d3#cUFq(KiNohe(@2N
zL&sv^BkO#Obcy`8HFX>nyB)f|h48k@Six0rpkd>NB61=nA9yk2D>0@pfiI6A3p=Mc
zV(;Z<_h(9i|64s2Ykx4tlp+#;xe6k$rYzUdz%m(ReD_NZQbPN=gl~S=VYN%PA$NU8
z)DbFSXH`+&s7RSRDigA-d5?}h6v$3o4jw`@`r7IJwP#c%Tvm}8Ip{daXEYw-?ToRi
zFw?%XhJs%X;Q-<jZwG4)WC2cfScmNAV8JD!V=86pIH{aC7eA;IjB~3BotvH9X?D)x
z1`C~9P}?g2A1RX8Yf7DC;!P&SvJ!P&2LvCTN@`XG`4n8#b{re7sf-v0mQEw_4%G({
zre9$|2rfcD<pvGR&>+*Td_3?d4U+yDlDe>YcE7KEl&aqdv-VZG8w}vAW;!hKyoI!M
G&X0dzta*3<

literal 0
HcmV?d00001

diff --git a/test/data/bugfixes-test.out b/test/data/bugfixes-test.out
index 4a397f0f77ea09f2b11da2aeada45209494c7b2f..f4b58fbba341cf7b585a12e563012d2c15ac3c69 100644
GIT binary patch
delta 146
zcmZw6$qj-)06@_ou82GClF$Hwgqz)rGN=avnGD=aM7}l9h>6`;iw*d$uYQ)Vx_n^J
z!lX@yE<O4Tuoz-9V$6goGv+LCSh8ZxhAlhx9Nw;3HQ&2yJ7F04S1EG;R3wR1epX7=
dR39S>{>{-kXG#^hma%tB#YK9l)FKvISU;gMFuVW&

delta 67
zcmV~$SsFrM006)*Lb6p_tk?96f859cn>oS~_GNVuiCra9nVZ~Qp;W0g9-dxWZy#Sj
Mo!($HopZeX0pnH_)c^nh