From 8f92e14f18fbd71f5d9de95810c1070c75cf00e0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 24 Aug 2021 22:24:45 +0000
Subject: [PATCH] import compat-exiv2-026-0.26-6.el8

---
 SOURCES/exiv2-CVE-2021-37618.patch | 37 ++++++++++++++++++++++++++++++
 SOURCES/exiv2-CVE-2021-37619.patch | 30 ++++++++++++++++++++++++
 SPECS/compat-exiv2-026.spec        | 13 +++++++++--
 3 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/exiv2-CVE-2021-37618.patch
 create mode 100644 SOURCES/exiv2-CVE-2021-37619.patch

diff --git a/SOURCES/exiv2-CVE-2021-37618.patch b/SOURCES/exiv2-CVE-2021-37618.patch
new file mode 100644
index 0000000..929cae4
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-37618.patch
@@ -0,0 +1,37 @@
+From dbf472751fc8b87ea7d1de02f54eaf64233a2fb6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Mon, 5 Jul 2021 10:40:03 +0100
+Subject: [PATCH 2/2] Better bounds checking in Jp2Image::printStructure
+
+---
+ src/jp2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 43c93d7..a8c37e8 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -42,6 +42,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include "futils.hpp"
+ #include "types.hpp"
+ #include "safe_op.hpp"
++#include "enforce.hpp"
+
+ // + standard includes
+ #include <string>
+@@ -511,6 +512,7 @@ namespace Exiv2
+                             if(subBox.type == kJp2BoxTypeColorHeader)
+                             {
+                                 long pad = 3 ; // don't know why there are 3 padding bytes
++                                enforce(data.size_ >= pad, kerCorruptedMetadata);
+                                 if ( bPrint ) {
+                                     out << " | pad:" ;
+                                     for ( int i = 0 ; i < 3 ; i++ ) out<< " " << (int) data.pData_[i];
+@@ -521,6 +523,7 @@ namespace Exiv2
+                                 }
+
+                                 DataBuf icc(iccLength);
++                                enforce(iccLength <= data.size_ - pad, kerCorruptedMetadata);
+                                 if ( bICC ) out.write((const char*)icc.pData_,icc.size_);
+                             }
+                             lf(out,bLF);
diff --git a/SOURCES/exiv2-CVE-2021-37619.patch b/SOURCES/exiv2-CVE-2021-37619.patch
new file mode 100644
index 0000000..e00520c
--- /dev/null
+++ b/SOURCES/exiv2-CVE-2021-37619.patch
@@ -0,0 +1,30 @@
+From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 30 Jun 2021 16:47:50 +0100
+Subject: [PATCH 2/2] Fix incorrect loop condition.
+
+---
+ src/jp2image.cpp                                      |  6 ++++--
+ .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 2cd0a89..58ad5c6 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -619,11 +619,13 @@ namespace Exiv2
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+
+-        while ( count < length || !bWroteColor ) {
++        while ( count < length && !bWroteColor ) {
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-            Jp2BoxHeader   subBox = *pSubBox ;
++            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
++            Jp2BoxHeader   subBox;
++            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
+             Jp2BoxHeader   newBox =  subBox;
+
+             if ( count < length ) {
diff --git a/SPECS/compat-exiv2-026.spec b/SPECS/compat-exiv2-026.spec
index 757143c..c45a864 100644
--- a/SPECS/compat-exiv2-026.spec
+++ b/SPECS/compat-exiv2-026.spec
@@ -1,6 +1,6 @@
 Name:    compat-exiv2-026
 Version: 0.26
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Compatibility package with the exiv2 library in version 0.26
 
 License: GPLv2+
@@ -34,6 +34,8 @@ Patch26: exiv2-CVE-2018-8977.patch
 Patch27: exiv2-CVE-2018-16336.patch
 Patch28: exiv2-CVE-2021-31291.patch
 Patch29: exiv2-CVE-2021-31292.patch
+Patch30: exiv2-CVE-2021-37618.patch
+Patch31: exiv2-CVE-2021-37619.patch
 
 ## upstreamable patches
 
@@ -98,7 +100,14 @@ rm -rf mv %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
-* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-11
+* Wed Aug 18 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-6
+- Fix out-of-bounds read in Exiv2::Jp2Image::printStructure
+  Resolves: bz#1993283
+
+- Fix out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
+  Resolves: bz#1993246
+
+* Thu Aug 05 2021 Jan Grulich <jgrulich@redhat.com> - 0.26-4
 - Fix heap-based buffer overflow vulnerability in jp2image.cpp that may lead to DoS
   Resolves: bz#1990398