File CVE-2018-20099.patch of Package exiv2.26842
From 2736126e7b92c5654f56620c097f9a4580c0f73b Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Tue, 27 Apr 2021 11:06:56 +0100
Subject: [PATCH] Fix infinite loop caused by subBox with zero size.
---
src/jp2image.cpp | 1 +
1 file changed, 1 insertion(+)
Index: exiv2-0.26/src/jp2image.cpp
===================================================================
--- exiv2-0.26.orig/src/jp2image.cpp
+++ exiv2-0.26/src/jp2image.cpp
@@ -665,6 +665,8 @@ static void boxes_check(size_t b,size_t
if ( count < length ) {
subBox.length = getLong((byte*)&subBox.length, bigEndian);
subBox.type = getLong((byte*)&subBox.type , bigEndian);
+ enforce(subBox.length > 0, Exiv2::kerCorruptedMetadata);
+ enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
#ifdef DEBUG
std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
#endif
