diff options
| -rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch | 32 | ||||
| -rw-r--r-- | meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 1 |
2 files changed, 33 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch new file mode 100644 index 0000000000..eedf9d79aa --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch @@ -0,0 +1,32 @@ +From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse <kevinbackhouse@github.com> +Date: Wed, 21 Apr 2021 12:06:04 +0100 +Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header +--- + src/jp2image.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index b424225..349a9f0 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m) + DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space + long outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output? + long inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf? ++ enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pBox = (Jp2BoxHeader*) boxBuf.pData_; + uint32_t length = getLong((byte*)&pBox->length, bigEndian); ++ enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata); + uint32_t count = sizeof (Jp2BoxHeader); + char* p = (char*) boxBuf.pData_; + bool bWroteColor = false ; + + while ( count < length || !bWroteColor ) { ++ enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata); + Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ; + + // copy data. pointer could be into a memory mapped file which we will decode! +-- +2.25.1 + diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb index 024f4c794a..2419bab352 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb @@ -14,6 +14,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat file://CVE-2021-29458.patch \ file://CVE-2021-29463.patch \ file://CVE-2021-29464.patch \ + file://CVE-2021-29470.patch \ file://CVE-2021-3482.patch" S = "${WORKDIR}/${BPN}-${PV}-Source" |