compat-exiv2-026/exiv2-CVE-2021-37619.patch

From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.

---
 src/jp2image.cpp                                      |  6 ++++--
 .../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 2cd0a89..58ad5c6 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -619,11 +619,13 @@ namespace Exiv2
         char*         p      = (char*) boxBuf.pData_;
         bool          bWroteColor = false ;

-        while ( count < length || !bWroteColor ) {
+        while ( count < length && !bWroteColor ) {
             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;

             // copy data.  pointer could be into a memory mapped file which we will decode!
-            Jp2BoxHeader   subBox = *pSubBox ;
+            // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+            Jp2BoxHeader   subBox;
+            memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
             Jp2BoxHeader   newBox =  subBox;

             if ( count < length ) {