exiv2/exiv2-CVE-2021-29457.patch

From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001
From: Pydera <pydera@mailbox.org>
Date: Thu, 8 Apr 2021 17:36:16 +0200
Subject: [PATCH] Fix out of buffer access in #1529

---
 src/jp2image.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index 88ab9b2d6..12025f966 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)
 #endif
                 box.length = (uint32_t) (io_->size() - io_->tell() + 8);
             }
-            if (box.length == 1)
+            if (box.length < 8)
             {
-                // FIXME. Special case. the real box size is given in another place.
+                // box is broken, so there is nothing we can do here
+                throw Error(kerCorruptedMetadata);
             }

             // Read whole box : Box header + Box data (not fixed size - can be null).
Add missing patches Resolves: bz#1956174 2021-05-03 12:33:17 +00:00			`From 13e5a3e02339b746abcaee6408893ca2fd8e289d Mon Sep 17 00:00:00 2001`
			`From: Pydera <pydera@mailbox.org>`
			`Date: Thu, 8 Apr 2021 17:36:16 +0200`
			`Subject: [PATCH] Fix out of buffer access in #1529`

			`---`
			`src/jp2image.cpp \| 5 +++--`
			`1 file changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/src/jp2image.cpp b/src/jp2image.cpp`
			`index 88ab9b2d6..12025f966 100644`
			`--- a/src/jp2image.cpp`
			`+++ b/src/jp2image.cpp`
			`@@ -776,9 +776,10 @@ static void boxes_check(size_t b,size_t m)`
			`#endif`
			`box.length = (uint32_t) (io_->size() - io_->tell() + 8);`
			`}`
			`- if (box.length == 1)`
			`+ if (box.length < 8)`
			`{`
			`- // FIXME. Special case. the real box size is given in another place.`
			`+ // box is broken, so there is nothing we can do here`
			`+ throw Error(kerCorruptedMetadata);`
			`}`

			`// Read whole box : Box header + Box data (not fixed size - can be null).`