Prevent SIGABRT on excessive subBox length in jp2image.cpp

This fixes CVE-2018-9145
Exiv2 · Oct 10, 2018 · c03f732 · c03f732
1 parent af44cec
commit c03f732
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
@@ -503,6 +503,10 @@ namespace Exiv2
                             subBox.length = getLong((byte*)&subBox.length, bigEndian);
                             subBox.type   = getLong((byte*)&subBox.type, bigEndian);
 
+                            // subBox.length makes no sense if it is larger than the rest of the file
+                            if (subBox.length > io_->size() - io_->tell()) {
+                                throw Error(kerCorruptedMetadata);
+                            }
                             DataBuf data(subBox.length-sizeof(box));
                             io_->read(data.pData_,data.size_);
                             if ( bPrint ) {

diff --git a/test/data/4-DataBuf-abort-1 b/test/data/4-DataBuf-abort-1
diff --git a/tests/bugfixes/github/test_CVE_2018_9145.py b/tests/bugfixes/github/test_CVE_2018_9145.py
@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+
+import system_tests
+
+
+class SubBoxLengthDataBufAbort(metaclass=system_tests.CaseMeta):
+
+    url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9145"
+
+    filename = system_tests.path(
+        "$data_path/4-DataBuf-abort-1"
+    )
+    commands = ["$exiv2 -pR $filename"]
+    stdout = [
+        """STRUCTURE OF JPEG2000 FILE: $filename
+ address |   length | box       | data
+       0 |       12 | jP        | 
+      12 |       20 | jp2h      | 
+"""
+    ]
+    stderr = [
+        """$exiv2_exception_message $filename:
+$kerCorruptedMetadata
+"""
+    ]
+    retval = [1]