Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
exiv2
CVE-2017-17669.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-17669.patch of Package exiv2
From 06aa7ab69d0c4f3d14644bd84fc9d1346154430d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> Date: Mon, 22 Jan 2018 23:56:08 +0100 Subject: Fix out of bounds read in src/pngchunk_int.cpp by @brianmay - consider that key is advanced by 8 bytes if stripHeader is true => length is reduced by same amount Fixed by adding offset to the check in the loop - Rewrote loop so that keysize is checked before the next iteration (preventing an out of bounds read) diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp index da4ccd01..b54bcdac 100644 --- a/src/pngchunk.cpp +++ b/src/pngchunk.cpp @@ -107,15 +107,17 @@ namespace Exiv2 { { // From a tEXt, zTXt, or iTXt chunk, // we get the key, it's a null terminated string at the chunk start - if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14); - const byte *key = data.pData_ + (stripHeader ? 8 : 0); + const int offset = stripHeader ? 8 : 0; + if (data.size_ <= offset) throw Error(14); + const byte *key = data.pData_ + offset; // Find null string at end of key. int keysize=0; - for ( ; key[keysize] != 0 ; keysize++) + while (key[keysize] != 0) { + keysize++; // look if keysize is valid. - if (keysize >= data.size_) + if (keysize+offset >= data.size_) throw Error(14); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor