xref: /OK3568_Linux_fs/yocto/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
2From: Kevin Backhouse <kevinbackhouse@github.com>
3Date: Fri, 9 Apr 2021 13:37:48 +0100
4Subject: [PATCH] Fix integer overflow.
5---
6 src/crwimage_int.cpp | 8 ++++++--
7 1 file changed, 6 insertions(+), 2 deletions(-)
8
9diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
10index aefaf22..2e3e507 100644
11--- a/src/crwimage_int.cpp
12+++ b/src/crwimage_int.cpp
13@@ -559,7 +559,7 @@ namespace Exiv2 {
14     void CiffComponent::setValue(DataBuf buf)
15     {
16         if (isAllocated_) {
17-            delete pData_;
18+            delete[] pData_;
19             pData_ = 0;
20             size_ = 0;
21         }
22@@ -1167,7 +1167,11 @@ namespace Exiv2 {
23                                                  pCrwMapping->crwDir_);
24         if (edX != edEnd || edY != edEnd || edO != edEnd) {
25             uint32_t size = 28;
26-            if (cc && cc->size() > size) size = cc->size();
27+            if (cc) {
28+              if (cc->size() < size)
29+                throw Error(kerCorruptedMetadata);
30+              size = cc->size();
31+            }
32             DataBuf buf(size);
33             std::memset(buf.pData_, 0x0, buf.size_);
34             if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
35--
362.25.1
37
38