Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
exiv2
CVE-2019-13109.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-13109.patch of Package exiv2
From 709830d2591fc9067257276168f68af9a90a1d33 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse <kev@semmle.com> Date: Thu, 25 Apr 2019 21:31:50 +0100 Subject: [PATCH] Avoid negative integer overflow when `iccOffset > chunkLength`. This fixes #790. --- src/pngimage.cpp | 2 ++ Index: exiv2-0.26/src/pngimage.cpp =================================================================== --- exiv2-0.26.orig/src/pngimage.cpp +++ exiv2-0.26/src/pngimage.cpp @@ -40,6 +40,7 @@ EXIV2_RCSID("@(#) $Id$") #include "image_int.hpp" #include "basicio.hpp" #include "error.hpp" +#include "enforce.hpp" #include "futils.hpp" #include "types.hpp" @@ -477,7 +478,17 @@ namespace Exiv2 { } else if (!memcmp(cheaderBuf.pData_ + 4, "iCCP", 4)) { - zlibToDataBuf(cdataBuf.pData_ +12+1,dataOffset-13,iccProfile_); // +1 = 'compressed' flag + // The ICC profile name can vary from 1-79 characters. + uint32_t iccOffset = 0; + do { + enforce(iccOffset < 80 && iccOffset < dataOffset, + Exiv2::kerCorruptedMetadata); + } while(cdataBuf.pData_[iccOffset++] != 0x00); + + ++iccOffset; // +1 = 'compressed' flag + enforce(iccOffset <= dataOffset, Exiv2::kerCorruptedMetadata); + + zlibToDataBuf(cdataBuf.pData_ + iccOffset, dataOffset - iccOffset, iccProfile_); #ifdef DEBUG std::cout << "Exiv2::PngImage::readMetadata: Found iCCP chunk length: " << dataOffset << std::endl; std::cout << "Exiv2::PngImage::readMetadata: iccProfile.size_ : " << iccProfile_.size_ << std::endl;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor