Package: exiv2 / 0.25-3.1+deb9u1

CVE-2018-12264.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From fe70939f54476e99046245ca69ff27012401f759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 11 Jun 2018 18:37:36 +0200
Subject: [PATCH] Fix addition overflows in range checks in LoaderTiff::getData

Several checks for extracted values performed no overflow checks on the
addition. They can be tricked into passing, albeit the individual summands are
too large.
=> use Safe::add() which now aborts when an overflow occurs
This fixes #366

(cherry picked from commit fe70939f54476e99046245ca69ff27012401f759)
[rcs: Backported to stretch]
---
 src/preview.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- exiv2-stretch.git.orig/src/preview.cpp
+++ exiv2-stretch.git/src/preview.cpp
@@ -802,7 +802,7 @@
                     // this saves one copying of the buffer
                     uint32_t offset = dataValue.toLong(0);
                     uint32_t size = sizes.toLong(0);
-                    if (offset + size <= static_cast<uint32_t>(io.size()))
+                    if (Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
                         dataValue.setDataArea(base + offset, size);
                 }
                 else {
@@ -812,9 +812,9 @@
                     for (int i = 0; i < sizes.count(); i++) {
                         uint32_t offset = dataValue.toLong(i);
                         uint32_t size = sizes.toLong(i);
-                        if (idxBuf + size >= size_)
+                        if (Safe::add(idxBuf, size) >= size_)
                             throw Error(58);
-                        if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
+                        if (size!=0 && Safe::add(offset, size) <= static_cast<uint32_t>(io.size()))
                             memcpy(&buf.pData_[idxBuf], base + offset, size);
                         idxBuf += size;
                     }