Package: exiv2 / 0.25-3.1+deb9u1

CVE-2018-12265.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
From 937a1a2bd067b8b3b787f3757089d972f3a39853 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Mon, 11 Jun 2018 16:04:28 +0200
Subject: [PATCH] Add offset_ and size_ safely in
 LoaderExifJpeg::LoaderExifJpeg

offset_ can become arbitrarily large and overflows once its added to size_,
this causes all kinds of problems further in the code when offset_ is used
again.
=> Use Safe::add() to catch potential overflows
This fixes #365.

(cherry picked from commit 937a1a2bd067b8b3b787f3757089d972f3a39853)
[rcs: Backported to stretch]
---
 src/preview.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- exiv2-stretch.git.orig/src/preview.cpp
+++ exiv2-stretch.git/src/preview.cpp
@@ -36,6 +36,7 @@
 
 #include "preview.hpp"
 #include "futils.hpp"
+#include "safe_op.hpp"
 
 #include "image.hpp"
 #include "cr2image.hpp"
@@ -546,7 +547,8 @@
             }
         }
 
-        if (offset_ + size_ > static_cast<uint32_t>(image_.io().size())) return;
+        if (Safe::add(offset_, size_) > static_cast<uint32_t>(image_.io().size()))
+            return;
 
         valid_ = true;
     }