diff options
| author | Christopher Baines <mail@cbaines.net> | 2021-03-05 22:56:40 +0000 |
|---|---|---|
| committer | Christopher Baines <mail@cbaines.net> | 2021-03-06 00:18:30 +0000 |
| commit | a8448da0f4a090818104e64dd79f90b0e50d5e77 (patch) | |
| tree | 494c58b4724f12cd9de0db9b0a7096de2b922c0f /gnu/packages/patches/exiv2-CVE-2017-14860.patch | |
| parent | 4f4b749e75b38b8c08b4f67ef51c2c8740999e28 (diff) | |
| parent | a714af38d5d1046081524d859cde4cd8fd12a923 (diff) | |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches/exiv2-CVE-2017-14860.patch')
| -rw-r--r-- | gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch deleted file mode 100644 index 43e6076b71..0000000000 --- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-14860. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 -https://nvd.nist.gov/vuln/detail/CVE-2017-14860 - -Copied from upstream: - -https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce - -From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> -Date: Fri, 6 Oct 2017 23:09:08 +0200 -Subject: [PATCH] Fix for CVE-2017-14860 - -A heap buffer overflow could occur in memcpy when icc.size_ is larger -than data.size_ - pad, as then memcpy would read out of bounds of data. - -This commit adds a sanity check to iccLength (= icc.size_): if it is -larger than data.size_ - pad (i.e. an overflow would be caused) an -exception is thrown. - -This fixes #71. ---- - src/jp2image.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/jp2image.cpp b/src/jp2image.cpp -index 747145cf..748d39b5 100644 ---- a/src/jp2image.cpp -+++ b/src/jp2image.cpp -@@ -269,10 +269,15 @@ namespace Exiv2 - std::cout << "Exiv2::Jp2Image::readMetadata: " - << "Color data found" << std::endl; - #endif -- long pad = 3 ; // 3 padding bytes 2 0 0 -+ const long pad = 3 ; // 3 padding bytes 2 0 0 - DataBuf data(subBox.length+8); - io_->read(data.pData_,data.size_); -- long iccLength = getULong(data.pData_+pad, bigEndian); -+ const long iccLength = getULong(data.pData_+pad, bigEndian); -+ // subtracting pad from data.size_ is safe: -+ // size_ is at least 8 and pad = 3 -+ if (iccLength > data.size_ - pad) { -+ throw Error(58); -+ } - DataBuf icc(iccLength); - ::memcpy(icc.pData_,data.pData_+pad,icc.size_); - #ifdef DEBUG |