summary refs log tree commit diff
path: root/gnu/packages/patches/exiv2-CVE-2017-14860.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/exiv2-CVE-2017-14860.patch')
-rw-r--r--gnu/packages/patches/exiv2-CVE-2017-14860.patch48
1 files changed, 0 insertions, 48 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
deleted file mode 100644
index 43e6076b71..0000000000
--- a/gnu/packages/patches/exiv2-CVE-2017-14860.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Fix CVE-2017-14860.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
-https://nvd.nist.gov/vuln/detail/CVE-2017-14860
-
-Copied from upstream:
-
-https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
-
-From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
-Date: Fri, 6 Oct 2017 23:09:08 +0200
-Subject: [PATCH] Fix for CVE-2017-14860
-
-A heap buffer overflow could occur in memcpy when icc.size_ is larger
-than data.size_ - pad, as then memcpy would read out of bounds of data.
-
-This commit adds a sanity check to iccLength (= icc.size_): if it is
-larger than data.size_ - pad (i.e. an overflow would be caused) an
-exception is thrown.
-
-This fixes #71.
----
- src/jp2image.cpp | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/jp2image.cpp b/src/jp2image.cpp
-index 747145cf..748d39b5 100644
---- a/src/jp2image.cpp
-+++ b/src/jp2image.cpp
-@@ -269,10 +269,15 @@ namespace Exiv2
-                             std::cout << "Exiv2::Jp2Image::readMetadata: "
-                                      << "Color data found" << std::endl;
- #endif
--                            long pad = 3 ; // 3 padding bytes 2 0 0
-+                            const long pad = 3 ; // 3 padding bytes 2 0 0
-                             DataBuf data(subBox.length+8);
-                             io_->read(data.pData_,data.size_);
--                            long    iccLength = getULong(data.pData_+pad, bigEndian);
-+                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
-+                            // subtracting pad from data.size_ is safe:
-+                            // size_ is at least 8 and pad = 3
-+                            if (iccLength > data.size_ - pad) {
-+                                throw Error(58);
-+			    }
-                             DataBuf icc(iccLength);
-                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
- #ifdef DEBUG
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-03-20 02:32:15 +0000