exiv2/exiv2-CVE-2021-37619.patch
Jan Grulich c39924fe20 Include missing tests for CVEs
Resolves: bz#1993247
Resolves: bz#1993284
2021-08-24 13:17:10 +02:00

101 lines
4.2 KiB
Diff

From a7b920bdbde1ee15a1a470d743dbae69ee398c75 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:12 +0100
Subject: [PATCH 1/2] Regression test for
https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
---
test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2 | Bin 0 -> 1692 bytes
.../github/test_issue_ghsa_mxw9_qx4c_6m8v.py | 18 ++++++++++++++++++
2 files changed, 18 insertions(+)
create mode 100644 test/data/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2
create mode 100644 tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
diff --git a/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
new file mode 100644
index 0000000000..8f8b6676cf
--- /dev/null
+++ b/tests/bugfixes/github/test_issue_ghsa_mxw9_qx4c_6m8v.py
@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+
+from system_tests import CaseMeta, CopyTmpFiles, path, check_no_ASAN_UBSAN_errors
+@CopyTmpFiles("$data_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+
+class Jp2ImageEncodeJp2HeaderOutOfBoundsRead2(metaclass=CaseMeta):
+ """
+ Regression test for the bug described in:
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v
+ """
+ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-mxw9-qx4c-6m8v"
+
+ filename = path("$tmp_path/issue_ghsa_mxw9_qx4c_6m8v_poc.jp2")
+ commands = ["$exiv2 rm $filename"]
+ stdout = [""]
+ retval = [0]
+
+ compare_stderr = check_no_ASAN_UBSAN_errors
From 9be257340193dbe3fb810aa33531c40ae9df6414 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Wed, 30 Jun 2021 16:47:50 +0100
Subject: [PATCH 2/2] Fix incorrect loop condition.
---
src/jp2image.cpp | 6 ++++--
.../bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py | 11 +++++------
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
index b6a388542f..3bf3566294 100644
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@@ -656,12 +656,14 @@ static void boxes_check(size_t b,size_t m)
char* p = (char*) boxBuf.pData_;
bool bWroteColor = false ;
- while ( count < length || !bWroteColor ) {
+ while ( count < length && !bWroteColor ) {
enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
// copy data. pointer could be into a memory mapped file which we will decode!
- Jp2BoxHeader subBox = *pSubBox ;
+ // pSubBox isn't always an aligned pointer, so use memcpy to do the copy.
+ Jp2BoxHeader subBox;
+ memcpy(&subBox, pSubBox, sizeof(Jp2BoxHeader));
Jp2BoxHeader newBox = subBox;
if ( count < length ) {
diff --git a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
index c98b3815eb..44f6a906cb 100644
--- a/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
+++ b/tests/bugfixes/github/test_issue_ghsa_8949_hhfh_j7rj.py
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
-from system_tests import CaseMeta, path
-
+from system_tests import CaseMeta, CopyTmpFiles, path
+@CopyTmpFiles("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2","$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
@@ -10,13 +10,12 @@ class Jp2ImageEncodeJp2HeaderOutOfBoundsRead(metaclass=CaseMeta):
"""
url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj"
- filename1 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
- filename2 = path("$data_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
+ filename1 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.jp2")
+ filename2 = path("$tmp_path/issue_ghsa_8949_hhfh_j7rj_poc.exv")
commands = ["$exiv2 in $filename1"]
stdout = [""]
stderr = [
"""Error: XMP Toolkit error 201: XML parsing failure
Warning: Failed to decode XMP metadata.
-$filename1: Could not write metadata to file: $kerCorruptedMetadata
"""]
- retval = [1]
+ retval = [0]