Fix CVE-2017-14860. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 https://nvd.nist.gov/vuln/detail/CVE-2017-14860 Copied from upstream: https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Fri, 6 Oct 2017 23:09:08 +0200 Subject: [PATCH] Fix for CVE-2017-14860 A heap buffer overflow could occur in memcpy when icc.size_ is larger than data.size_ - pad, as then memcpy would read out of bounds of data. This commit adds a sanity check to iccLength (= icc.size_): if it is larger than data.size_ - pad (i.e. an overflow would be caused) an exception is thrown. This fixes #71. --- src/jp2image.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/jp2image.cpp b/src/jp2image.cpp index 747145cf..748d39b5 100644 --- a/src/jp2image.cpp +++ b/src/jp2image.cpp @@ -269,10 +269,15 @@ namespace Exiv2 std::cout << "Exiv2::Jp2Image::readMetadata: " << "Color data found" << std::endl; #endif - long pad = 3 ; // 3 padding bytes 2 0 0 + const long pad = 3 ; // 3 padding bytes 2 0 0 DataBuf data(subBox.length+8); io_->read(data.pData_,data.size_); - long iccLength = getULong(data.pData_+pad, bigEndian); + const long iccLength = getULong(data.pData_+pad, bigEndian); + // subtracting pad from data.size_ is safe: + // size_ is at least 8 and pad = 3 + if (iccLength > data.size_ - pad) { + throw Error(58); + } DataBuf icc(iccLength); ::memcpy(icc.pData_,data.pData_+pad,icc.size_); #ifdef DEBUG x/log/?id=0054564b857c6ce2469ea2a7d0096ec31b3f80d9'>root/gnu/packages/ntp.scm
AgeCommit message (Expand)Author
2017-11-27gnu: openntpd: Enable use of TLS-based time constraints....Leo Famulari
2017-11-26gnu: openntpd: Update to 6.2p3....Efraim Flashner
2017-09-24gnu: openntpd: Update to 6.2p2....Efraim Flashner
2017-07-19download: Add OpenBSD mirrors....Tobias Geerinckx-Rice
2017-07-19gnu: openntpd: Update to 6.1p1....Tobias Geerinckx-Rice
2017-03-22gnu: ntp: Update to 4.2.8p10 [security fixes]....Leo Famulari
2016-11-28gnu: ntp: Update to 4.2.8p9....Efraim Flashner
2016-11-28gnu: ntp: Fix indentation....Efraim Flashner
2016-06-16gnu: openntpd: Update to 6.0p1....Efraim Flashner
2016-06-05gnu: ntp: Update to 4.2.8p8 [fixes CVE-2016-{4953, 4954, 4955, 4956, 4957}]....Leo Famulari
2016-06-05gnu: ntp: Add HTTPS URL....Leo Famulari
2016-05-09gnu: openntpd: Update to 5.9p1....Efraim Flashner
2016-05-05gnu: ntp: Update to 4.2.8p7 [security fixes]....Leo Famulari