Add check for DataBuf.size_ in Jp2Image::readMetadata()

When parsing a subBox that is a ColorHeader, a length is extracted from the input file and fed directly into DataBuf() (which calls malloc). A crafted input file can provide arbitrarily (up to max(uint32_t)-8) large values and result in excessive memory allocation. This commit adds a check for the new size of DataBuf so that it is not larger than the remaining size of the file. This fixes #202 aka CVE-2018-4868
2018-01-09 21:18:36 +01:00 · 2018-01-09 21:18:36 +01:00 · fcb4257051
commit fcb4257051
parent 7f56236bb8
1 changed files with 6 additions and 1 deletions
--- a/src/jp2image.cpp
+++ b/src/jp2image.cpp
@ -268,7 +268,12 @@ namespace Exiv2
 #endif

                            const long pad = 3 ; // 3 padding bytes 2 0 0
-                            DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
+			    const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
+			    // data_length makes no sense if it is larger than the rest of the file
+			    if (data_length > io_->size() - io_->tell()) {
+				throw Error(58);
+			    }
+                            DataBuf data(data_length);
                            io_->read(data.pData_,data.size_);
                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
                            // subtracting pad from data.size_ is safe: