File CVE-2020-18831.patch of Package exiv2.30966
From 20a13f00e2db24c58ee326e4c89a56469718b30e Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 16 May 2019 13:22:53 +0100
Subject: [PATCH] Add better bounds checking in PngImage::printStructure().
---
src/pngimage.cpp | 13 +++++++---
Index: exiv2-0.26/src/pngimage.cpp
===================================================================
--- exiv2-0.26.orig/src/pngimage.cpp
+++ exiv2-0.26/src/pngimage.cpp
@@ -251,7 +251,7 @@ namespace Exiv2 {
if (bufRead != cheaderBuf.size_) throw Error(20);
// Decode chunk data length.
- uint32_t dataOffset = Exiv2::getULong(cheaderBuf.pData_, Exiv2::bigEndian);
+ const uint32_t dataOffset = Exiv2::getULong(cheaderBuf.pData_, Exiv2::bigEndian);
for (int i = 4; i < 8; i++) {
chType[i-4]=cheaderBuf.pData_[i];
}
@@ -266,7 +266,8 @@ namespace Exiv2 {
}
DataBuf buff(dataOffset);
- io_->read(buff.pData_,dataOffset);
+ bufRead = io_->read(buff.pData_,dataOffset);
+ enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData);
io_->seek(restore, BasicIo::beg);
// format output
@@ -279,7 +280,8 @@ namespace Exiv2 {
if ( bPrint ) {
io_->seek(dataOffset, BasicIo::cur);// jump to checksum
byte checksum[4];
- io_->read(checksum,4);
+ bufRead = io_->read(checksum,4);
+ enforce(bufRead == 4, kerFailedToReadImageData);
io_->seek(restore, BasicIo::beg) ;// restore file pointer
out << Internal::stringFormat("%8d | %-5s |%8d | "
@@ -310,9 +312,12 @@ namespace Exiv2 {
DataBuf dataBuf;
byte* data = new byte[dataOffset+1];
data[dataOffset] = 0;
- io_->read(data,dataOffset);
+ bufRead = io_->read(data,dataOffset);
+ enforce(bufRead == static_cast<long>(dataOffset), kerFailedToReadImageData);
io_->seek(restore, BasicIo::beg);
uint32_t name_l = (uint32_t) std::strlen((const char*)data)+1; // leading string length
+ enforce(name_l <= dataOffset, kerCorruptedMetadata);
+
uint32_t start = name_l;
bool bLF = false;
