meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29458.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

From 9b7a19f957af53304655ed1efe32253a1b11a8d0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Fri, 9 Apr 2021 13:37:48 +0100
Subject: [PATCH] Fix integer overflow.
---
 src/crwimage_int.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
index aefaf22..2e3e507 100644
--- a/src/crwimage_int.cpp
+++ b/src/crwimage_int.cpp
@@ -559,7 +559,7 @@ namespace Exiv2 {
     void CiffComponent::setValue(DataBuf buf)
     {
         if (isAllocated_) {
-            delete pData_;
+            delete[] pData_;
             pData_ = 0;
             size_ = 0;
         }
@@ -1167,7 +1167,11 @@ namespace Exiv2 {
                                                  pCrwMapping->crwDir_);
         if (edX != edEnd || edY != edEnd || edO != edEnd) {
             uint32_t size = 28;
-            if (cc && cc->size() > size) size = cc->size();
+            if (cc) {
+              if (cc->size() < size)
+                throw Error(kerCorruptedMetadata);
+              size = cc->size();
+            }
             DataBuf buf(size);
             std::memset(buf.pData_, 0x0, buf.size_);
             if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
-- 
2.25.1