diff options
Diffstat (limited to 'media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch')
| -rw-r--r-- | media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch b/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch deleted file mode 100644 index a594a2bfad13..000000000000 --- a/media-gfx/exiv2/files/exiv2-0.26_p20180319-CVE-2018-4868.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ce4f575e106697c0e513091e95a7cd12ed6a488b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
-Date: Tue, 9 Jan 2018 21:18:36 +0100
-Subject: [PATCH 1/8] Add check for DataBuf.size_ in Jp2Image::readMetadata()
-
-When parsing a subBox that is a ColorHeader, a length is extracted
-from the input file and fed directly into DataBuf() (which calls
-malloc). A crafted input file can provide arbitrarily (up to
-max(uint32_t)-8) large values and result in excessive memory
-allocation.
-
-This commit adds a check for the new size of DataBuf so that it is not
-larger than the remaining size of the file.
-
-This fixes #202 aka CVE-2018-4868
----
- src/jp2image.cpp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/jp2image.cpp b/src/jp2image.cpp
-index a308bfd9..3cebc2a8 100644
---- a/src/jp2image.cpp
-+++ b/src/jp2image.cpp
-@@ -272,7 +272,12 @@ namespace Exiv2
- #endif
-
- const long pad = 3 ; // 3 padding bytes 2 0 0
-- DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
-+ const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
-+ // data_length makes no sense if it is larger than the rest of the file
-+ if (data_length > io_->size() - io_->tell()) {
-+ throw Error(58);
-+ }
-+ DataBuf data(data_length);
- io_->read(data.pData_,data.size_);
- const long iccLength = getULong(data.pData_+pad, bigEndian);
- // subtracting pad from data.size_ is safe:
---
-2.17.0
|