Overview

File CVE-2019-13109.patch of Package exiv2-0_26.26888

From 709830d2591fc9067257276168f68af9a90a1d33 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kev@semmle.com>
Date: Thu, 25 Apr 2019 21:31:50 +0100
Subject: [PATCH] Avoid negative integer overflow when `iccOffset >
 chunkLength`.

This fixes #790.
---
 src/pngimage.cpp                        |   2 ++

Index: exiv2-0.26/src/pngimage.cpp
===================================================================
--- exiv2-0.26.orig/src/pngimage.cpp
+++ exiv2-0.26/src/pngimage.cpp
@@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$")
 #include "image_int.hpp"
 #include "basicio.hpp"
 #include "error.hpp"
+#include "enforce.hpp"
 #include "futils.hpp"
 #include "types.hpp"
 
@@ -477,7 +478,17 @@ namespace Exiv2 {
                 }
                 else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4))
                 {
-                    zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag
+                    // The ICC profile name can vary from 1-79 characters.
+                    uint32_t iccOffset = 0;
+                    do {
+                      enforce(iccOffset < 80 && iccOffset < dataOffset,
+                              Exiv2::kerCorruptedMetadata);
+                    } while(cdataBuf.pData_[iccOffset++] != 0x00);
+
+                    ++iccOffset; // +1 = 'compressed' flag
+                    enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata);
+
+                    zlibToDataBuf(cdataBuf.pData_ + iccOffset, dataOffset - iccOffset, iccProfile_);
 #ifdef DEBUG
                     std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset  << std::endl;
                     std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
openSUSE Build Service is sponsored by
Places