Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
exiv2
CVE-2019-20421.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-20421.patch of Package exiv2
Index: exiv2-0.23/src/jp2image.cpp =================================================================== --- exiv2-0.23.orig/src/jp2image.cpp +++ exiv2-0.23/src/jp2image.cpp @@ -149,6 +149,16 @@ namespace Exiv2 throw(Error(32, "Image comment", "JP2")); } // Jp2Image::setComment +static void boxes_check(size_t b,size_t m) +{ + if ( b > m ) { +#ifdef DEBUG + std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl; +#endif + throw Error(kerCorruptedMetadata); + } +} + void Jp2Image::readMetadata() { #ifdef DEBUG @@ -171,9 +181,12 @@ namespace Exiv2 Jp2BoxHeader subBox = {0,0}; Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0}; Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; + size_t boxes = 0 ; + size_t boxem = 1000 ; // boxes max while (io_->read((byte*)&box, sizeof(box)) == sizeof(box)) { + boxes_check(boxes++,boxem ); position = io_->tell(); box.boxLength = getLong((byte*)&box.boxLength, bigEndian); #ifdef DEBUG @@ -206,8 +219,12 @@ namespace Exiv2 if (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox)) { + boxes_check(boxes++, boxem); subBox.boxLength = getLong((byte*)&subBox.boxLength, bigEndian); subBox.boxType = getLong((byte*)&subBox.boxType, bigEndian); + if (subBox.boxLength > io_->size() ) { + throw Error(kerCorruptedMetadata); + } if((subBox.boxType == kJp2BoxTypeImageHeader) && (io_->read((byte*)&ihdr, sizeof(ihdr)) == sizeof(ihdr)))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
