mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
exiv2: Fix CVE-2021-29458
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29458
The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2,
if they can trick the victim into running Exiv2 on a crafted image file.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1536/commits/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d]
CVE: CVE-2021-29458
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f0d83c14d9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -0,0 +1,37 @@
|
|||||||
|
From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kevin Backhouse <kevinbackhouse@github.com>
|
||||||
|
Date: Fri, 9 Apr 2021 13:37:48 +0100
|
||||||
|
Subject: [PATCH] Fix integer overflow.
|
||||||
|
---
|
||||||
|
src/crwimage_int.cpp | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
|
||||||
|
index aefaf22..2e3e507 100644
|
||||||
|
--- a/src/crwimage_int.cpp
|
||||||
|
+++ b/src/crwimage_int.cpp
|
||||||
|
@@ -559,7 +559,7 @@ namespace Exiv2 {
|
||||||
|
void CiffComponent::setValue(DataBuf buf)
|
||||||
|
{
|
||||||
|
if (isAllocated_) {
|
||||||
|
- delete pData_;
|
||||||
|
+ delete[] pData_;
|
||||||
|
pData_ = 0;
|
||||||
|
size_ = 0;
|
||||||
|
}
|
||||||
|
@@ -1167,7 +1167,11 @@ namespace Exiv2 {
|
||||||
|
pCrwMapping->crwDir_);
|
||||||
|
if (edX != edEnd || edY != edEnd || edO != edEnd) {
|
||||||
|
uint32_t size = 28;
|
||||||
|
- if (cc && cc->size() > size) size = cc->size();
|
||||||
|
+ if (cc) {
|
||||||
|
+ if (cc->size() < size)
|
||||||
|
+ throw Error(kerCorruptedMetadata);
|
||||||
|
+ size = cc->size();
|
||||||
|
+ }
|
||||||
|
DataBuf buf(size);
|
||||||
|
std::memset(buf.pData_, 0x0, buf.size_);
|
||||||
|
if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -10,7 +10,8 @@ SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994
|
|||||||
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
|
# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either
|
||||||
inherit dos2unix
|
inherit dos2unix
|
||||||
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
||||||
file://CVE-2021-29457.patch"
|
file://CVE-2021-29457.patch \
|
||||||
|
file://CVE-2021-29458.patch"
|
||||||
|
|
||||||
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user