Package: exiv2 / 0.25-3.1+deb9u1

CVE-2018-10958_10999_2_of_2.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From 3ad0050469e6ea63b4081f2a88c264ce8ab55c51 Mon Sep 17 00:00:00 2001
From: Luis Diaz Mas <piponazo@gmail.com>
Date: Wed, 23 May 2018 10:34:20 +0200
Subject: [PATCH] Check validity of compressionFlag & compressionMethod

(cherry picked from commit 3ad0050469e6ea63b4081f2a88c264ce8ab55c51)
[rcs: Backported to stretch]
---
 src/pngchunk.cpp | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

--- exiv2.git.orig/src/pngchunk.cpp
+++ exiv2.git/src/pngchunk.cpp
@@ -159,14 +159,24 @@
         else if(type == iTXt_Chunk)
         {
             const int nullSeparators = std::count(&data.pData_[keysize+3], &data.pData_[data.size_-1], '\0');
-            if (nullSeparators < 2) throw Error(58);
+            if (nullSeparators < 2) throw Error(58, "iTXt chunk: not enough null separators");
 
             // Extract a deflate compressed or uncompressed UTF-8 text chunk
 
             // we get the compression flag after the key
-            const byte* compressionFlag   = data.pData_ + keysize + 1;
+            const byte compressionFlag   = data.pData_[keysize + 1];
             // we get the compression method after the compression flag
-            const byte* compressionMethod = data.pData_ + keysize + 2;
+            const byte compressionMethod = data.pData_[keysize + 2];
+
+            if (compressionFlag != 0x00 && compressionFlag != 0x01)
+            {
+                    throw Error(58, "iTXt chunk: not valid value in compressionFlag");
+            }
+            if (compressionMethod != 0x00)
+            {
+                    throw Error(58, "iTXt chunk: not valid value in compressionMethod");
+            }
+
             // language description string after the compression technique spec
             std::string languageText((const char*)(data.pData_ + keysize + 3));
             unsigned int languageTextSize = static_cast<unsigned int>(languageText.size());
@@ -174,7 +184,7 @@
             std::string translatedKeyText((const char*)(data.pData_ + keysize + 3 + languageTextSize +1));
             unsigned int translatedKeyTextSize = static_cast<unsigned int>(translatedKeyText.size());
 
-            if ( compressionFlag[0] == 0x00 )
+            if ( compressionFlag == 0x00 )
             {
                 // then it's an uncompressed iTXt chunk
 #ifdef DEBUG
@@ -188,7 +198,7 @@
                 arr.alloc(textsize);
                 arr = DataBuf(text, textsize);
             }
-            else if ( compressionFlag[0] == 0x01 && compressionMethod[0] == 0x00 )
+            else if ( compressionFlag == 0x01 && compressionMethod == 0x00 )
             {
                 // then it's a zlib compressed iTXt chunk
 #ifdef DEBUG