Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix for CVE-2017-14860
A heap buffer overflow could occur in memcpy when icc.size_ is larger
than data.size_ - pad, as then memcpy would read out of bounds of data.

This commit adds a sanity check to iccLength (= icc.size_): if it is
larger than data.size_ - pad (i.e. an overflow would be caused) an
exception is thrown.

This fixes #71.
  • Loading branch information
D4N committed Oct 10, 2017
1 parent 65f45a3 commit ff18fec
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions src/jp2image.cpp
Expand Up @@ -269,10 +269,15 @@ namespace Exiv2
std::cout << "Exiv2::Jp2Image::readMetadata: "
<< "Color data found" << std::endl;
#endif
long pad = 3 ; // 3 padding bytes 2 0 0
const long pad = 3 ; // 3 padding bytes 2 0 0
DataBuf data(subBox.length+8);
io_->read(data.pData_,data.size_);
long iccLength = getULong(data.pData_+pad, bigEndian);
const long iccLength = getULong(data.pData_+pad, bigEndian);
// subtracting pad from data.size_ is safe:
// size_ is at least 8 and pad = 3
if (iccLength > data.size_ - pad) {
throw Error(58);
}
DataBuf icc(iccLength);
::memcpy(icc.pData_,data.pData_+pad,icc.size_);
#ifdef DEBUG
Expand Down

0 comments on commit ff18fec

Please sign in to comment.