compat-exiv2-026/exiv2-CVE-2018-14046.patch
2023-02-27 12:30:00 -05:00

50 lines
1.9 KiB
Diff

diff --git a/src/webpimage.cpp b/src/webpimage.cpp
index e4057d6..f1dd77c 100644
--- a/src/webpimage.cpp
+++ b/src/webpimage.cpp
@@ -44,6 +44,8 @@
#include "tiffimage.hpp"
#include "tiffimage_int.hpp"
#include "convert.hpp"
+#include "enforce.hpp"
+
#include <cmath>
#include <iomanip>
#include <string>
@@ -516,6 +518,8 @@ namespace Exiv2 {
DataBuf payload(size);
if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8X) && !has_canvas_data) {
+ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+
has_canvas_data = true;
byte size_buf[WEBP_TAG_SIZE];
@@ -531,6 +535,8 @@ namespace Exiv2 {
size_buf[3] = 0;
pixelHeight_ = Exiv2::getULong(size_buf, littleEndian) + 1;
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8) && !has_canvas_data) {
+ enforce(size >= 10, Exiv2::kerCorruptedMetadata);
+
has_canvas_data = true;
io_->read(payload.pData_, payload.size_);
byte size_buf[WEBP_TAG_SIZE];
@@ -547,6 +553,8 @@ namespace Exiv2 {
size_buf[3] = 0;
pixelHeight_ = Exiv2::getULong(size_buf, littleEndian) & 0x3fff;
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_VP8L) && !has_canvas_data) {
+ enforce(size >= 5, Exiv2::kerCorruptedMetadata);
+
has_canvas_data = true;
byte size_buf_w[2];
byte size_buf_h[3];
@@ -564,6 +572,8 @@ namespace Exiv2 {
size_buf_h[1] = ((size_buf_h[1] >> 6) & 0x3) | ((size_buf_h[2] & 0xF) << 0x2);
pixelHeight_ = Exiv2::getUShort(size_buf_h, littleEndian) + 1;
} else if (equalsWebPTag(chunkId, WEBP_CHUNK_HEADER_ANMF) && !has_canvas_data) {
+ enforce(size >= 12, Exiv2::kerCorruptedMetadata);
+
has_canvas_data = true;
byte size_buf[WEBP_TAG_SIZE];