xref: /OK3568_Linux_fs/yocto/meta-openembedded/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001
2From: Wang Mingyu <wangmy@fujitsu.com>
3Date: Tue, 18 May 2021 10:52:54 +0900
4Subject: [PATCH] modify
5
6Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
7---
8 src/jp2image.cpp | 14 +++++++++-----
9 1 file changed, 9 insertions(+), 5 deletions(-)
10
11diff --git a/src/jp2image.cpp b/src/jp2image.cpp
12index 52723a4..0ac4f50 100644
13--- a/src/jp2image.cpp
14+++ b/src/jp2image.cpp
15@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m)
16     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
17     {
18         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
19-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
20-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
21+        long    outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
22+        long    inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
23         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
24-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
25-        int32_t       count  = sizeof (Jp2BoxHeader);
26+        uint32_t      length = getLong((byte*)&pBox->length, bigEndian);
27+        uint32_t      count  = sizeof (Jp2BoxHeader);
28         char*         p      = (char*) boxBuf.pData_;
29         bool          bWroteColor = false ;
30
31@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m)
32 #ifdef EXIV2_DEBUG_MESSAGES
33                 std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
34 #endif
35+                enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
36                 count        += subBox.length;
37                 newBox.type   = subBox.type;
38             } else {
39@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m)
40                 count = length;
41             }
42
43-            int32_t newlen = subBox.length;
44+            uint32_t newlen = subBox.length;
45             if ( newBox.type == kJp2BoxTypeColorHeader ) {
46                 bWroteColor = true ;
47                 if ( ! iccProfileDefined() ) {
48                     const char* pad   = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
49                     uint32_t    psize = 15;
50+                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
51                     ul2Data((byte*)&newBox.length,psize      ,bigEndian);
52                     ul2Data((byte*)&newBox.type  ,newBox.type,bigEndian);
53                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox));
54@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m)
55                 } else {
56                     const char* pad   = "\0x02\x00\x00";
57                     uint32_t    psize = 3;
58+                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
59                     ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian);
60                     ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
61                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox)  );
62@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m)
63                     newlen = psize + iccProfile_.size_;
64                 }
65             } else {
66+                enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
67                 ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
68             }
69
70--
712.25.1
72
73