File CVE-2018-10772.patch of Package exiv2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-10772.patch of Package exiv2

From 8d5a3c7dd9e4117b5f5bc91fb4842beedfb19e90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Jul 2018 11:51:55 +0200
Subject: [PATCH] Remove buffer overread in tExtToDataBuf

The pointer p is advanced in the while loop to step over three '\n'.
However, its length is never reduced accordingly. => the length check in the
following for loop is invalid, as it permits overreading by the number of
characters that p was advanced by.
---
 src/pngimage.cpp | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/pngimage.cpp b/src/pngimage.cpp
index 2e1c4d0c11..984f7532f5 100644
--- a/src/pngimage.cpp
+++ b/src/pngimage.cpp
@@ -155,12 +155,21 @@ namespace Exiv2 {
         }
 
         // calculate length and allocate result;
+        // count: number of \n in the header
         long        count=0;
+        // p points to the current position in the array bytes
         const byte* p = bytes ;
-        // header is \nsomething\n number\n hex
-        while ( count < 3 )
-            if ( *p++ == '\n' )
+
+        // header is '\nsomething\n number\n hex'
+        // => increment p until it points to the byte after the last \n
+        //    p must stay within bounds of the bytes array!
+        while ((count < 3) && (p - bytes < length)) {
+            // length is later used for range checks of p => decrement it for each increment of p
+            --length;
+            if ( *p++ == '\n' ) {
                 count++;
+            }
+        }
         for ( long i = 0 ; i < length ; i++ )
             if ( value[p[i]] )
                 ++count;

Places

File CVE-2018-10772.patch of Package exiv2

Places