File CVE-2018-19535.patch of Package exiv2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-19535.patch of Package exiv2

From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Sun, 2 Sep 2018 14:39:52 +0200
Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile

- Now it takes into account text.size_ when searching for a newline
char.
Index: exiv2-0.23/src/pngchunk.cpp
===================================================================
--- exiv2-0.23.orig/src/pngchunk.cpp
+++ exiv2-0.23/src/pngchunk.cpp
@@ -598,44 +598,53 @@ namespace Exiv2 {
     DataBuf PngChunk::readRawProfile(const DataBuf& text)
     {
         DataBuf                 info;
-        register long           i;
-        register unsigned char *dp;
-        const char             *sp;
-        unsigned int            nibbles;
-        long                    length;
         unsigned char           unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
-                                            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
-                                            0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
-                                            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
-                                            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
-                                            13,14,15};
+            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+            0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+            0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
+            13,14,15};
         if (text.size_ == 0) {
             return DataBuf();
         }
 
-        sp = (char*)text.pData_+1;
+        const char *sp  = (char*) text.pData_+1;          // current byte (space pointer)
+        const char *eot = (char*) text.pData_+text.size_; // end of text
 
         // Look for newline
-
-        while (*sp != '\n')
+        while (*sp != '\n' && sp < eot )
+        {
             sp++;
+            if ( sp == eot )
+            {
+                return DataBuf();
+            }
+        }
+        sp++ ; // step over '\n'
 
         // Look for length
-
-        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+        while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
+        {
             sp++;
-
-        length = (long) atol(sp);
-        const char* eot = (char*)text.pData_ + text.size_;
-        if (length < 0 || length > (eot - sp)/2) {
-            throw Error(14);
+            if (sp == eot )
+            {
+                return DataBuf();
+            }
         }
 
-        while (*sp != ' ' && *sp != '\n')
+        const char* startOfLength = sp;
+        while ( ('0' <= *sp && *sp <= '9') && sp < eot)
+        {
             sp++;
+            if (sp == eot )
+            {
+                return DataBuf();
+            }
+        }
+        sp++ ; // step over '\n'
+        long length = (long) atol(startOfLength);
 
         // Allocate space
-
         if (length == 0)
         {
 #ifdef DEBUG
@@ -643,9 +652,7 @@ namespace Exiv2 {
 #endif
             return DataBuf();
         }
-
         info.alloc(length);
-
         if (info.size_ != length)
         {
 #ifdef DEBUG
@@ -655,11 +662,11 @@ namespace Exiv2 {
         }
 
         // Copy profile, skipping white space and column 1 "=" signs
+        unsigned char *dp = (unsigned char*)info.pData_; // decode pointer
+        unsigned int nibbles = length * 2;
 
-        dp      = (unsigned char*)info.pData_;
-        nibbles = length * 2;
 
-        for (i = 0; i < (long) nibbles; i++)
+        for (long i = 0; i < (long) nibbles; i++)
         {
             while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
             {

Places

File CVE-2018-19535.patch of Package exiv2

Places