Package: exiv2 / 0.25-3.1+deb9u1

CVE-2018-10958_10999_1_of_2.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From 2fb00c8a16ce93756cddd70536e361a49369ba88 Mon Sep 17 00:00:00 2001
From: Luis Diaz Mas <piponazo@gmail.com>
Date: Sat, 19 May 2018 19:39:30 +0200
Subject: [PATCH] Analyze minimum needed number of null separators in
 PngChunk::parseTXTChunk

This commit fixes the heap-buffer-overflow in PngChunk::parseTXTChunk.

According to the specification:
http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html

There must be 2 null separators when we start to analyze the language tag.

(cherry picked from commit 2fb00c8a16ce93756cddd70536e361a49369ba88)
[rcs: Backported to stretch]
---
 src/pngchunk.cpp                         | 5 +++++
 tests/bugfixes/github/test_CVE_2018_10999.py | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

--- exiv2.git.orig/src/pngchunk.cpp
+++ exiv2.git/src/pngchunk.cpp
@@ -49,6 +49,7 @@
 #include <iostream>
 #include <cassert>
 #include <cstdio>
+#include <algorithm>
 
 #include <zlib.h>     // To uncompress or compress text chunk
 
@@ -157,6 +158,9 @@
         }
         else if(type == iTXt_Chunk)
         {
+            const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
+            if (nullSeparators < 2) throw Error(58);
+
             // Extract a deflate compressed or uncompressed UTF-8 text chunk
 
             // we get the compression flag after the key
--- exiv2.git.orig/src/error.cpp
+++ exiv2.git/src/error.cpp
@@ -105,7 +105,8 @@
         { 49, N_("TIFF directory %1 has too many entries") }, // %1=TIFF directory name
         { 50, N_("Multiple TIFF array element tags %1 in one directory") }, // %1=tag number
         { 51, N_("TIFF array element tag %1 has wrong type") }, // %1=tag number
-        { 52, N_("%1 has invalid XMP value type `%2'") } // %1=key, %2=value type
+        { 52, N_("%1 has invalid XMP value type `%2'") }, // %1=key, %2=value type
+        { 58, N_("corrupted image metadata") }
     };
 
 }