File CVE-2017-11591.patch of Package exiv2.14488

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-11591.patch of Package exiv2.14488

From f2712004d89cc556af8b45cb714e2316025092a8 Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Wed, 27 Sep 2017 09:20:13 +0100
Subject: [PATCH] Fix https://github.com/Exiv2/exiv2/issues/55

(cherry picked from commit 6e3855aed7ba8bb4731fc4087ca7f9078b2f3d97)
---
 include/exiv2/value.hpp | 6 ++++--
 src/basicio.cpp         | 1 +
 src/error.cpp           | 7 ++++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

Index: exiv2-0.23/src/value.hpp
===================================================================
--- exiv2-0.23.orig/src/value.hpp
+++ exiv2-0.23/src/value.hpp
@@ -1628,11 +1628,13 @@ namespace Exiv2 {
         ok_ = true;
         return static_cast<long>(value_[n]);
     }
+// #55 crash when value_[n].first == LONG_MIN
+#define LARGE_INT 1000000
     // Specialization for rational
     template<>
     inline long ValueType<Rational>::toLong(long n) const
     {
-        ok_ = (value_[n].second != 0);
+        ok_ = (value_[n].second != 0 && -LARGE_INT < value_[n].first && value_[n].first < LARGE_INT);
         if (!ok_) return 0;
         return value_[n].first / value_[n].second;
     }
@@ -1640,7 +1642,7 @@ namespace Exiv2 {
     template<>
     inline long ValueType<URational>::toLong(long n) const
     {
-        ok_ = (value_[n].second != 0);
+        ok_ = (value_[n].second != 0 && value_[n].first < LARGE_INT);
         if (!ok_) return 0;
         return value_[n].first / value_[n].second;
     }
Index: exiv2-0.23/src/basicio.cpp
===================================================================
--- exiv2-0.23.orig/src/basicio.cpp
+++ exiv2-0.23/src/basicio.cpp
@@ -851,6 +851,7 @@ namespace Exiv2 {
     DataBuf FileIo::read(long rcount)
     {
         assert(p_->fp_ != 0);
+        if ( (size_t) rcount > size() ) throw Error(57);
         DataBuf buf(rcount);
         long readCount = read(buf.pData_, buf.size_);
         buf.size_ = readCount;
Index: exiv2-0.23/src/error.cpp
===================================================================
--- exiv2-0.23.orig/src/error.cpp
+++ exiv2-0.23/src/error.cpp
@@ -105,7 +105,12 @@ namespace {
         { 49, N_("TIFF directory %1 has too many entries") }, // %1=TIFF directory name
         { 50, N_("Multiple TIFF array element tags %1 in one directory") }, // %1=tag number
         { 51, N_("TIFF array element tag %1 has wrong type") }, // %1=tag number
-        { 52, N_("%1 has invalid XMP value type `%2'") } // %1=key, %2=value type
+        { 52, N_("%1 has invalid XMP value type `%2'") }, // %1=key, %2=value type
+        { 53, N_("Not a valid ICC Profile") },
+        { 54, N_("Not valid XMP") },
+        { 55, N_("tiff directory length is too large") },
+        { 56, N_("invalid type value detected in Image::printIFDStructure") },
+        { 57, N_("invalid memory allocation request") },
     };
 
 }

Places

File CVE-2017-11591.patch of Package exiv2.14488

Places