File CVE-2020-18899.patch of Package exiv2-0_26
From 051b5d9df1f4669117937b7a40104404cc252993 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Wed, 20 Mar 2019 22:50:14 +0100
Subject: [PATCH] Fix #742 by detecting incorrect subBox size
(cherry picked from commit 1bdd3eab5ebdde324dbfecc3fb6d6495b32d2e4d)
---
src/jp2image.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: exiv2-0.26/src/jp2image.cpp
===================================================================
--- exiv2-0.26.orig/src/jp2image.cpp
+++ exiv2-0.26/src/jp2image.cpp
@@ -175,6 +175,8 @@ namespace Exiv2
throw(Error(32, "Image comment", "JP2"));
} // Jp2Image::setComment
+ const size_t boxHSize = sizeof(Jp2BoxHeader);
+
static void lf(std::ostream& out,bool& bLF)
{
if ( bLF ) {
@@ -506,6 +508,10 @@ namespace Exiv2
subBox.length = getLong((byte*)&subBox.length, bigEndian);
subBox.type = getLong((byte*)&subBox.type, bigEndian);
+ if (subBox.length < boxHSize || subBox.length > io_->size() - io_->tell()) {
+ throw Error(kerCorruptedMetadata);
+ }
+
DataBuf data(subBox.length-sizeof(box));
io_->read(data.pData_,data.size_);
if ( bPrint ) {