File CVE-2020-18651.patch of Package exempi.30700

From fdd4765a699f9700850098b43b9798b933acb32f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
Date: Sun, 28 Jul 2019 10:15:19 -0400
Subject: [PATCH] Issue #13 - Fix a buffer a overflow in ID3 support

https://gitlab.freedesktop.org/libopenraw/exempi/issues/13
---
 XMPFiles/source/FormatSupport/ID3_Support.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/XMPFiles/source/FormatSupport/ID3_Support.cpp b/XMPFiles/source/FormatSupport/ID3_Support.cpp
index 0bc4eb6..ee8bb0b 100644
--- a/XMPFiles/source/FormatSupport/ID3_Support.cpp
+++ b/XMPFiles/source/FormatSupport/ID3_Support.cpp
@@ -682,6 +682,10 @@ bool ID3v2Frame::getFrameValue ( XMP_Uns8 /*majorVersion*/, XMP_Uns32 logicalID,
 			std::string tmp ( this->content, this->contentSize );
 			bool bigEndian = true;	// assume for now (if no BOM follows)
 
+			if (pos + 2 > this->contentSize) {
+				// No enough for the string
+				break;
+			}
 			if ( GetUns16BE ( &this->content[pos] ) == 0xFEFF ) {
 				pos += 2;
 				bigEndian = true;
@@ -699,6 +703,10 @@ bool ID3v2Frame::getFrameValue ( XMP_Uns8 /*majorVersion*/, XMP_Uns32 logicalID,
 		{
 			if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
 		
+			if (pos + 4 > this->contentSize) {
+				// No enough for the string
+				break;
+			}
 			if ( (GetUns32BE ( &this->content[pos]) & 0xFFFFFF00 ) == 0xEFBBBF00 ) {
 				pos += 3;	// swallow any BOM, just in case
 			}
-- 
2.41.0

openSUSE Build Service is sponsored by