kumquat-buildroot/package/exiv2/0001-crwimage-Check-offset-and-size-against-total-size.patch

From b7890776c62398ca1005e8edc32786859d60fcf7 Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH] crwimage: Check offset and size against total size

Corrupted or specially crafted CRW images might exceed the overall
buffersize.

Fixes #1019

(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
[Retrieved (and slightly updated to keep only the fix) from:
https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 src/crwimage_int.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index 29311fdb7..c0d955350 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -268,6 +268,9 @@ namespace Exiv2 {
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
 #endif
+        if (this->offset() + this->size() > size)
+            throw Error(kerOffsetOutOfRange);
+
         readDirectory(pData + offset(), this->size(), byteOrder);
 #ifdef EXIV2_DEBUG_MESSAGES
         std::cout << "<---- 0x" << std::hex << tag() << "\n";
package/exiv2: fix CVE-2019-17402 Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> 2020-02-29 22:32:03 +01:00			`From b7890776c62398ca1005e8edc32786859d60fcf7 Mon Sep 17 00:00:00 2001`
			`From: Jens Georg <mail@jensge.org>`
			`Date: Sun, 6 Oct 2019 15:05:20 +0200`
			`Subject: [PATCH] crwimage: Check offset and size against total size`

			`Corrupted or specially crafted CRW images might exceed the overall`
			`buffersize.`

			`Fixes #1019`

			`(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)`
			`[Retrieved (and slightly updated to keep only the fix) from:`
			`https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec]`
			`Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>`
			`---`
			`src/crwimage_int.cpp \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp`
			`index 29311fdb7..c0d955350 100644`
			`--- a/src/crwimage_int.cpp`
			`+++ b/src/crwimage_int.cpp`
			`@@ -268,6 +268,9 @@ namespace Exiv2 {`
			`#ifdef EXIV2_DEBUG_MESSAGES`
			`std::cout << "Reading directory 0x" << std::hex << tag() << "\n";`
			`#endif`
			`+ if (this->offset() + this->size() > size)`
			`+ throw Error(kerOffsetOutOfRange);`
			`+`
			`readDirectory(pData + offset(), this->size(), byteOrder);`
			`#ifdef EXIV2_DEBUG_MESSAGES`
			`std::cout << "<---- 0x" << std::hex << tag() << "\n";`