diff options
author | wangmy <wangmy@fujitsu.com> | 2021-05-18 16:07:59 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2021-05-19 09:17:49 -0700 |
commit | bb1400efda77a7289ca20782172bfbe1f457f161 (patch) | |
tree | fd42ad1a3eb3b25298fe11154b6dc9fd0cf5a420 /meta-oe/recipes-support/exiv2/exiv2 | |
parent | 8c9470bdfaa1d33347ffaf25b3e18d2163667e18 (diff) | |
download | meta-openembedded-bb1400efda77a7289ca20782172bfbe1f457f161.tar.gz |
exiv2: Fix CVE-2021-29470
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1581/commits/6628a69c036df2aa036290e6cd71767c159c79ed]
CVE: CVE-2021-29470
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe/recipes-support/exiv2/exiv2')
-rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch new file mode 100644 index 0000000000..eedf9d79aa --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch @@ -0,0 +1,32 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header +--- + src/jp2image.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b424225..349a9f0 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; + uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.25.1 + |