blob: a594a2bfad13f6dcb7af53472c5a3ec1403fe132 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From ce4f575e106697c0e513091e95a7cd12ed6a488b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Tue, 9 Jan 2018 21:18:36 +0100
Subject: [PATCH 1/8] Add check for DataBuf.size_ in Jp2Image::readMetadata()
When parsing a subBox that is a ColorHeader, a length is extracted
from the input file and fed directly into DataBuf() (which calls
malloc). A crafted input file can provide arbitrarily (up to
max(uint32_t)-8) large values and result in excessive memory
allocation.
This commit adds a check for the new size of DataBuf so that it is not
larger than the remaining size of the file.
This fixes #202 aka CVE-2018-4868
---
src/jp2image.cpp | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index a308bfd9..3cebc2a8 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -272,7 +272,12 @@ namespace Exiv2
#endif
const long pad = 3 ; // 3 padding bytes 2 0 0
- DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
+ const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
+ // data_length makes no sense if it is larger than the rest of the file
+ if (data_length > io_->size() - io_->tell()) {
+ throw Error(58);
+ }
+ DataBuf data(data_length);
io_->read(data.pData_,data.size_);
const long iccLength = getULong(data.pData_+pad, bigEndian);
// subtracting pad from data.size_ is safe:
--
2.17.0
|
