exiv2: Fix CVE-2021-29470

References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29470 The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Upstream-Status: Accepted [6628a69c03] CVE: CVE-2021-29470 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-01-01 13:58:06 +00:00 · 2021-05-18 16:07:59 +08:00 · 2021-05-18 16:07:59 +08:00 · bb1400efda
commit bb1400efda
parent 8c9470bdfa
2 changed files with 33 additions and 0 deletions
--- a/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2021-29470.patch
@ -0,0 +1,32 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+---
+ src/jp2image.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index b424225..349a9f0 100644
+--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
+@@ -645,13 +645,16 @@ static void boxes_check(size_t b,size_t m)
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+         long    outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+         long    inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
+        enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+         uint32_t      length = getLong((byte*)&pBox->length, bigEndian);
+        enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         uint32_t      count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+         while ( count < length || !bWroteColor ) {
+            enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-- 
+2.25.1
+
--- a/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb
@ -14,6 +14,7 @@ SRC_URI += "file://0001-Use-compiler-fcf-protection-only-if-compiler-arch-su.pat
            file://CVE-2021-29458.patch \
            file://CVE-2021-29463.patch \
            file://CVE-2021-29464.patch \
+            file://CVE-2021-29470.patch \
            file://CVE-2021-3482.patch"

 S = "${WORKDIR}/${BPN}-${PV}-Source"