Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent SIGABRT on excessive subBox length in jp2image.cpp #470

Merged
merged 1 commit into from
Oct 10, 2018
Merged

Prevent SIGABRT on excessive subBox length in jp2image.cpp #470

merged 1 commit into from
Oct 10, 2018

Conversation

rcsanchez97
Copy link
Contributor

This fixes CVE-2018-9145

I am working on analyzing CVEs for the Debian LTS team and I believe I have identified the fix for CVE-2018-9145. Note that while I gave the MITRE URL in the test I added, the reproducer originates here: https://github.com/xiaoqx/pocs/tree/master/exiv2 (it is reproducer 4 that I used).

The fix that I applied in jp2image.cpp follows the same pattern as the length check at jp2image.cpp:272.

Also note that as a result of changes in #368 the reproducer produces the output Uncaught exception: std::bad_alloc at exiv2.cpp:177 instead of a SIGABRT.

If I need to adjust anything in this pull request, please let me know.

@codecov
Copy link

codecov bot commented Oct 10, 2018

Codecov Report

Merging #470 into master will increase coverage by 0.22%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #470      +/-   ##
==========================================
+ Coverage   62.28%   62.51%   +0.22%     
==========================================
  Files         150      150              
  Lines       20548    20550       +2     
==========================================
+ Hits        12798    12846      +48     
+ Misses       7750     7704      -46
Impacted Files Coverage Δ
src/jp2image.cpp 41.81% <100%> (+13.87%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 11e66c6...d01eb99. Read the comment docs.

piponazo
piponazo approved these changes Oct 10, 2018
View reviewed changes
Copy link
Collaborator

@piponazo piponazo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rcsanchez97 for the contribution. The changes look good and CI green, let's merge the branch 😉

@piponazo piponazo merged commit c03f732 into Exiv2:master Oct 10, 2018
@D4N
Copy link
Member

D4N commented Oct 10, 2018

@rcsanchez97 The url to the reproducer seems familiar to me, do you happen to know which issue tracks it?

@rcsanchez97
Copy link
Contributor Author

@D4N I searched the opened and closed issues, but I could not find one. The only issues I found mentioning something similar issue #302 (which is a distinct issue that was fixed some time ago) and #303 (which is also a distinct issue and was closed as not a bug).

@rcsanchez97
Copy link
Contributor Author

@piponazo You are quite welcome.

@rcsanchez97 rcsanchez97 deleted the cve-2018-9145 branch October 10, 2018 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@piponazo piponazo piponazo approved these changes

@clanmills clanmills Awaiting requested review from clanmills

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rcsanchez97 @D4N @piponazo