xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix for CVE-2017-14860

Browse Source 
A heap buffer overflow could occur in memcpy when icc.size_ is larger
than data.size_ - pad, as then memcpy would read out of bounds of data.

This commit adds a sanity check to iccLength (= icc.size_): if it is
larger than data.size_ - pad (i.e. an overflow would be caused) an
exception is thrown.

This fixes #71.
v0.27.3
Dan Čermák 8 years ago
parent 65f45a3505
commit ff18fec24b
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File

9
src/jp2image.cpp
Unescape Escape View File

@ -269,10 +269,15 @@ namespace Exiv2
std::cout << "Exiv2::Jp2Image::readMetadata: " std::cout << "Exiv2::Jp2Image::readMetadata: "
<< "Color data found" << std::endl; << "Color data found" << std::endl;
#endif #endif
long pad = 3 ; // 3 padding bytes 2 0 0 const long pad = 3 ; // 3 padding bytes 2 0 0
DataBuf data(subBox.length+8); DataBuf data(subBox.length+8);
io_->read(data.pData_,data.size_); io_->read(data.pData_,data.size_);
long iccLength = getULong(data.pData_+pad, bigEndian); const long iccLength = getULong(data.pData_+pad, bigEndian);
// subtracting pad from data.size_ is safe:
// size_ is at least 8 and pad = 3
if (iccLength > data.size_ - pad) {
throw Error(58);
}
DataBuf icc(iccLength); DataBuf icc(iccLength);
::memcpy(icc.pData_,data.pData_+pad,icc.size_); ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
#ifdef DEBUG #ifdef DEBUG

Write Preview
Loading…
Cancel
Save