exiv2/SOURCES/exiv2-CVE-2019-20421.patch

From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001
From: clanmills <robin@clanmills.com>
Date: Tue, 1 Oct 2019 17:39:44 +0100
Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop

---
 src/jp2image.cpp                             |  25 +++++++++++++++----
 test/data/Jp2Image_readMetadata_loop.poc     | Bin 0 -> 738 bytes
 tests/bugfixes/github/test_CVE_2017_17725.py |   4 +--
 tests/bugfixes/github/test_issue_1011.py     |  13 ++++++++++
 4 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100755 test/data/Jp2Image_readMetadata_loop.poc
 create mode 100644 tests/bugfixes/github/test_issue_1011.py

diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index d5cd1340a..0de088d62 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -18,10 +18,6 @@
  * Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.
  */

-/*
-  File:      jp2image.cpp
-*/
-
 // *****************************************************************************

 // included header files
@@ -197,6 +193,16 @@ namespace Exiv2
         return result;
     }

+static void boxes_check(size_t b,size_t m)
+{
+    if ( b > m ) {
+#ifdef EXIV2_DEBUG_MESSAGES
+        std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;
+#endif
+        throw Error(kerCorruptedMetadata);
+    }
+}
+
     void Jp2Image::readMetadata()
     {
 #ifdef EXIV2_DEBUG_MESSAGES
@@ -219,9 +225,12 @@ namespace Exiv2
         Jp2BoxHeader      subBox    = {0,0};
         Jp2ImageHeaderBox ihdr      = {0,0,0,0,0,0,0,0};
         Jp2UuidBox        uuid      = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+        size_t            boxes     = 0 ;
+        size_t            boxem     = 1000 ; // boxes max

         while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))
         {
+            boxes_check(boxes++,boxem );
             position   = io_->tell();
             box.length = getLong((byte*)&box.length, bigEndian);
             box.type   = getLong((byte*)&box.type, bigEndian);
@@ -251,8 +260,12 @@ namespace Exiv2

                     while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )
                     {
+                        boxes_check(boxes++, boxem) ;
                         subBox.length = getLong((byte*)&subBox.length, bigEndian);
                         subBox.type   = getLong((byte*)&subBox.type, bigEndian);
+                        if (subBox.length > io_->size() ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
 #ifdef EXIV2_DEBUG_MESSAGES
                         std::cout << "Exiv2::Jp2Image::readMetadata: "
                         << "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;
@@ -308,7 +321,9 @@ namespace Exiv2
                         }

                         io_->seek(restore,BasicIo::beg);
-                        io_->seek(subBox.length, Exiv2::BasicIo::cur);
+                        if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {
+                            throw Error(kerCorruptedMetadata);
+                        }
                         restore = io_->tell();
                     }
                     break;
diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py
index 1127b9806..670a75d8d 100644
--- a/tests/bugfixes/github/test_CVE_2017_17725.py
+++ b/tests/bugfixes/github/test_CVE_2017_17725.py
@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):
     filename = "$data_path/poc_2017-12-12_issue188"
     commands = ["$exiv2 " + filename]
     stdout = [""]
-    stderr = ["""$exiv2_overflow_exception_message """ + filename + """:
-$addition_overflow_message
+    stderr = ["""$exiv2_exception_message """ + filename + """:
+$kerCorruptedMetadata
 """]
     retval = [1]
import exiv2-0.27.2-5.el8 2020-04-28 09:33:55 +00:00			`From 1b917c3f7dd86336a9f6fda4456422c419dfe88c Mon Sep 17 00:00:00 2001`
			`From: clanmills <robin@clanmills.com>`
			`Date: Tue, 1 Oct 2019 17:39:44 +0100`
			`Subject: [PATCH] Fix #1011 fix_1011_jp2_readmetadata_loop`

			`---`
			`src/jp2image.cpp \| 25 +++++++++++++++----`
			`test/data/Jp2Image_readMetadata_loop.poc \| Bin 0 -> 738 bytes`
			`tests/bugfixes/github/test_CVE_2017_17725.py \| 4 +--`
			`tests/bugfixes/github/test_issue_1011.py \| 13 ++++++++++`
			`4 files changed, 35 insertions(+), 7 deletions(-)`
			`create mode 100755 test/data/Jp2Image_readMetadata_loop.poc`
			`create mode 100644 tests/bugfixes/github/test_issue_1011.py`

			`diff --git a/src/jp2image.cpp b/src/jp2image.cpp`
			`index d5cd1340a..0de088d62 100644`
			`--- a/src/jp2image.cpp`
			`+++ b/src/jp2image.cpp`
			`@@ -18,10 +18,6 @@`
			`* Foundation, Inc., 51 Franklin Street, 5th Floor, Boston, MA 02110-1301 USA.`
			`*/`

			`-/*`
			`- File: jp2image.cpp`
			`-*/`
			`-`
			`// *****************************************************************************`

			`// included header files`
			`@@ -197,6 +193,16 @@ namespace Exiv2`
			`return result;`
			`}`

			`+static void boxes_check(size_t b,size_t m)`
			`+{`
			`+ if ( b > m ) {`
			`+#ifdef EXIV2_DEBUG_MESSAGES`
			`+ std::cout << "Exiv2::Jp2Image::readMetadata box maximum exceeded" << std::endl;`
			`+#endif`
			`+ throw Error(kerCorruptedMetadata);`
			`+ }`
			`+}`
			`+`
			`void Jp2Image::readMetadata()`
			`{`
			`#ifdef EXIV2_DEBUG_MESSAGES`
			`@@ -219,9 +225,12 @@ namespace Exiv2`
			`Jp2BoxHeader subBox = {0,0};`
			`Jp2ImageHeaderBox ihdr = {0,0,0,0,0,0,0,0};`
			`Jp2UuidBox uuid = {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};`
			`+ size_t boxes = 0 ;`
			`+ size_t boxem = 1000 ; // boxes max`

			`while (io_->read((byte*)&box, sizeof(box)) == sizeof(box))`
			`{`
			`+ boxes_check(boxes++,boxem );`
			`position = io_->tell();`
			`box.length = getLong((byte*)&box.length, bigEndian);`
			`box.type = getLong((byte*)&box.type, bigEndian);`
			`@@ -251,8 +260,12 @@ namespace Exiv2`

			`while (io_->read((byte*)&subBox, sizeof(subBox)) == sizeof(subBox) && subBox.length )`
			`{`
			`+ boxes_check(boxes++, boxem) ;`
			`subBox.length = getLong((byte*)&subBox.length, bigEndian);`
			`subBox.type = getLong((byte*)&subBox.type, bigEndian);`
			`+ if (subBox.length > io_->size() ) {`
			`+ throw Error(kerCorruptedMetadata);`
			`+ }`
			`#ifdef EXIV2_DEBUG_MESSAGES`
			`std::cout << "Exiv2::Jp2Image::readMetadata: "`
			`<< "subBox = " << toAscii(subBox.type) << " length = " << subBox.length << std::endl;`
			`@@ -308,7 +321,9 @@ namespace Exiv2`
			`}`

			`io_->seek(restore,BasicIo::beg);`
			`- io_->seek(subBox.length, Exiv2::BasicIo::cur);`
			`+ if ( io_->seek(subBox.length, Exiv2::BasicIo::cur) != 0 ) {`
			`+ throw Error(kerCorruptedMetadata);`
			`+ }`
			`restore = io_->tell();`
			`}`
			`break;`
			`diff --git a/tests/bugfixes/github/test_CVE_2017_17725.py b/tests/bugfixes/github/test_CVE_2017_17725.py`
			`index 1127b9806..670a75d8d 100644`
			`--- a/tests/bugfixes/github/test_CVE_2017_17725.py`
			`+++ b/tests/bugfixes/github/test_CVE_2017_17725.py`
			`@@ -11,7 +11,7 @@ class TestCvePoC(metaclass=system_tests.CaseMeta):`
			`filename = "$data_path/poc_2017-12-12_issue188"`
			`commands = ["$exiv2 " + filename]`
			`stdout = [""]`
			`- stderr = ["""$exiv2_overflow_exception_message """ + filename + """:`
			`-$addition_overflow_message`
			`+ stderr = ["""$exiv2_exception_message """ + filename + """:`
			`+$kerCorruptedMetadata`
			`"""]`
			`retval = [1]`