Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
exiv2
CVE-2018-19535.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-19535.patch of Package exiv2
From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com> Date: Sun, 2 Sep 2018 14:39:52 +0200 Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile - Now it takes into account text.size_ when searching for a newline char. Index: exiv2-0.23/src/pngchunk.cpp =================================================================== --- exiv2-0.23.orig/src/pngchunk.cpp +++ exiv2-0.23/src/pngchunk.cpp @@ -598,44 +598,53 @@ namespace Exiv2 { DataBuf PngChunk::readRawProfile(const DataBuf& text) { DataBuf info; - register long i; - register unsigned char *dp; - const char *sp; - unsigned int nibbles; - long length; unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, - 13,14,15}; + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, + 13,14,15}; if (text.size_ == 0) { return DataBuf(); } - sp = (char*)text.pData_+1; + const char *sp = (char*) text.pData_+1; // current byte (space pointer) + const char *eot = (char*) text.pData_+text.size_; // end of text // Look for newline - - while (*sp != '\n') + while (*sp != '\n' && sp < eot ) + { sp++; + if ( sp == eot ) + { + return DataBuf(); + } + } + sp++ ; // step over '\n' // Look for length - - while (*sp == '\0' || *sp == ' ' || *sp == '\n') + while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot ) + { sp++; - - length = (long) atol(sp); - const char* eot = (char*)text.pData_ + text.size_; - if (length < 0 || length > (eot - sp)/2) { - throw Error(14); + if (sp == eot ) + { + return DataBuf(); + } } - while (*sp != ' ' && *sp != '\n') + const char* startOfLength = sp; + while ( ('0' <= *sp && *sp <= '9') && sp < eot) + { sp++; + if (sp == eot ) + { + return DataBuf(); + } + } + sp++ ; // step over '\n' + long length = (long) atol(startOfLength); // Allocate space - if (length == 0) { #ifdef DEBUG @@ -643,9 +652,7 @@ namespace Exiv2 { #endif return DataBuf(); } - info.alloc(length); - if (info.size_ != length) { #ifdef DEBUG @@ -655,11 +662,11 @@ namespace Exiv2 { } // Copy profile, skipping white space and column 1 "=" signs + unsigned char *dp = (unsigned char*)info.pData_; // decode pointer + unsigned int nibbles = length * 2; - dp = (unsigned char*)info.pData_; - nibbles = length * 2; - for (i = 0; i < (long) nibbles; i++) + for (long i = 0; i < (long) nibbles; i++) { while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor