mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
exiv2: Fix CVE-2021-3482
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3482
Improper input validation of the rawData.size property in Jp2Image::readMetadata() in jp2image.cpp
can lead to a heap-based buffer overflow via a crafted JPG image containing malicious EXIF data.
Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/pull/1523/commits/22ea582c6b74ada30bec3a6b15de3c3e52f2b4da]
CVE: CVE-2021-3482
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9e7c2c9713)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -0,0 +1,54 @@
|
|||||||
|
From 22ea582c6b74ada30bec3a6b15de3c3e52f2b4da Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robin Mills <robin@clanmills.com>
|
||||||
|
Date: Mon, 5 Apr 2021 20:33:25 +0100
|
||||||
|
Subject: [PATCH] fix_1522_jp2image_exif_asan
|
||||||
|
|
||||||
|
---
|
||||||
|
src/jp2image.cpp | 9 ++++++---
|
||||||
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
|
||||||
|
index eb31cea4a..88ab9b2d6 100644
|
||||||
|
--- a/src/jp2image.cpp
|
||||||
|
+++ b/src/jp2image.cpp
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
#include "image.hpp"
|
||||||
|
#include "image_int.hpp"
|
||||||
|
#include "basicio.hpp"
|
||||||
|
+#include "enforce.hpp"
|
||||||
|
#include "error.hpp"
|
||||||
|
#include "futils.hpp"
|
||||||
|
#include "types.hpp"
|
||||||
|
@@ -353,7 +354,7 @@ static void boxes_check(size_t b,size_t m)
|
||||||
|
if (io_->error()) throw Error(kerFailedToReadImageData);
|
||||||
|
if (bufRead != rawData.size_) throw Error(kerInputDataReadFailed);
|
||||||
|
|
||||||
|
- if (rawData.size_ > 0)
|
||||||
|
+ if (rawData.size_ > 8) // "II*\0long"
|
||||||
|
{
|
||||||
|
// Find the position of Exif header in bytes array.
|
||||||
|
long pos = ( (rawData.pData_[0] == rawData.pData_[1])
|
||||||
|
@@ -497,6 +498,7 @@ static void boxes_check(size_t b,size_t m)
|
||||||
|
position = io_->tell();
|
||||||
|
box.length = getLong((byte*)&box.length, bigEndian);
|
||||||
|
box.type = getLong((byte*)&box.type, bigEndian);
|
||||||
|
+ enforce(box.length <= io_->size()-io_->tell() , Exiv2::kerCorruptedMetadata);
|
||||||
|
|
||||||
|
if (bPrint) {
|
||||||
|
out << Internal::stringFormat("%8ld | %8ld | ", (size_t)(position - sizeof(box)),
|
||||||
|
@@ -581,12 +583,13 @@ static void boxes_check(size_t b,size_t m)
|
||||||
|
throw Error(kerInputDataReadFailed);
|
||||||
|
|
||||||
|
if (bPrint) {
|
||||||
|
- out << Internal::binaryToString(makeSlice(rawData, 0, 40));
|
||||||
|
+ out << Internal::binaryToString(
|
||||||
|
+ makeSlice(rawData, 0, rawData.size_>40?40:rawData.size_));
|
||||||
|
out.flush();
|
||||||
|
}
|
||||||
|
lf(out, bLF);
|
||||||
|
|
||||||
|
- if (bIsExif && bRecursive && rawData.size_ > 0) {
|
||||||
|
+ if (bIsExif && bRecursive && rawData.size_ > 8) { // "II*\0long"
|
||||||
|
if ((rawData.pData_[0] == rawData.pData_[1]) &&
|
||||||
|
(rawData.pData_[0] == 'I' || rawData.pData_[0] == 'M')) {
|
||||||
|
BasicIo::AutoPtr p = BasicIo::AutoPtr(new MemIo(rawData.pData_, rawData.size_));
|
||||||
@@ -12,7 +12,8 @@ inherit dos2unix
|
|||||||
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.patch \
|
||||||
file://CVE-2021-29457.patch \
|
file://CVE-2021-29457.patch \
|
||||||
file://CVE-2021-29458.patch \
|
file://CVE-2021-29458.patch \
|
||||||
file://CVE-2021-29463.patch"
|
file://CVE-2021-29463.patch \
|
||||||
|
file://CVE-2021-3482.patch"
|
||||||
|
|
||||||
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
S = "${WORKDIR}/${BPN}-${PV}-Source"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user