exiv2: Fix CVE-2021-29464

          References
          https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29464

          The heap overflow is triggered when Exiv2 is used to write metadata into a crafted image file.
          An attacker could potentially exploit the vulnerability to gain code execution, if they can
          trick the victim into running Exiv2 on a crafted image file.

          Upstream-Status: Accepted [https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54]
          CVE: CVE-2021-29464

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c9470bdfaa1d33347ffaf25b3e18d2163667e18)
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 73 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
new file mode 100644
index 0000000000..f0c482450c
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29464.patch
@@ -0,0 +1,72 @@
+From 61734d8842cb9cc59437463e3bac54d6231d9487 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@fujitsu.com>
+Date: Tue, 18 May 2021 10:52:54 +0900
+Subject: [PATCH] modify
+
+Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
+---
+ src/jp2image.cpp | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 52723a4..0ac4f50 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -643,11 +643,11 @@ static void boxes_check(size_t b,size_t m)
+     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+     {
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++        long    outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
++        long    inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+-        int32_t       count  = sizeof (Jp2BoxHeader);
++        uint32_t      length = getLong((byte*)&pBox->length, bigEndian);
++        uint32_t      count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+@@ -664,6 +664,7 @@ static void boxes_check(size_t b,size_t m)
+ #ifdef EXIV2_DEBUG_MESSAGES
+                 std::cout << "Jp2Image::encodeJp2Header subbox: "<< toAscii(subBox.type) << " length = " << subBox.length << std::endl;
+ #endif
++                enforce(subBox.length <= length - count, Exiv2::kerCorruptedMetadata);
+                 count        += subBox.length;
+                 newBox.type   = subBox.type;
+             } else {
+@@ -672,12 +673,13 @@ static void boxes_check(size_t b,size_t m)
+                 count = length;
+             }
+ 
+-            int32_t newlen = subBox.length;
++            uint32_t newlen = subBox.length;
+             if ( newBox.type == kJp2BoxTypeColorHeader ) {
+                 bWroteColor = true ;
+                 if ( ! iccProfileDefined() ) {
+                     const char* pad   = "\x01\x00\x00\x00\x00\x00\x10\x00\x00\x05\x1cuuid";
+                     uint32_t    psize = 15;
++                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+                     ul2Data((byte*)&newBox.length,psize      ,bigEndian);
+                     ul2Data((byte*)&newBox.type  ,newBox.type,bigEndian);
+                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox));
+@@ -686,6 +688,7 @@ static void boxes_check(size_t b,size_t m)
+                 } else {
+                     const char* pad   = "\0x02\x00\x00";
+                     uint32_t    psize = 3;
++                    enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+                     ul2Data((byte*)&newBox.length,psize+iccProfile_.size_,bigEndian);
+                     ul2Data((byte*)&newBox.type,newBox.type,bigEndian);
+                     ::memcpy(output.pData_+outlen                     ,&newBox            ,sizeof(newBox)  );
+@@ -694,6 +697,7 @@ static void boxes_check(size_t b,size_t m)
+                     newlen = psize + iccProfile_.size_;
+                 }
+             } else {
++                enforce(newlen <= output.size_ - outlen, Exiv2::kerCorruptedMetadata);
+                 ::memcpy(output.pData_+outlen,boxBuf.pData_+inlen,subBox.length);
+             }
+ 
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
index 8c4c81799b..024f4c794a 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
             file://CVE-2021-29457.patch \
             file://CVE-2021-29458.patch \
             file://CVE-2021-29463.patch \
+            file://CVE-2021-29464.patch \
             file://CVE-2021-3482.patch"
 
 S = "${WORKDIR}/${BPN}-${PV}-Source"