Bug#773846: Buffer overflow in INFO tags of riff (patch from upstream)

Tue, 23 Dec 2014 15:21:39 -0800 

Package: exiv2
Version: 0.24-4.1
Severity: grave
Tags: security patch

There is a buffer overflow condition with some AVI files. I am not fully
sure but maybe it could be used for a code execution.

However, the bug is fixed upstream. See also report [0].

I extracted and tested the patch from upstream and added it to this
report.

This bug affects also many other packages that uses libexiv2. Namely
geeqie and digikam.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (800, 'unstable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17.5 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to 
de_DE)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages exiv2 depends on:
ii  libc6        2.19-13
ii  libexiv2-13  0.24-4.1
ii  libgcc1      1:4.9.2-9
ii  libstdc++6   4.9.2-9

exiv2 recommends no packages.

exiv2 suggests no packages.

-- no debconf information

[0] http://dev.exiv2.org/issues/1002
-- 
Klaus Ethgen                              http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16   Klaus Ethgen <kl...@ethgen.de>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

>From ed36a4692058f745a06d87bdaf107bc43c7d2359 Mon Sep 17 00:00:00 2001
From: badola <badola@b7c8b350-86e7-0310-a4b4-de8f6a8f16a3>
Date: Thu, 19 Jun 2014 20:28:44 +0000
Subject: [PATCH] #960: Added a Buffer Overflow Fix in INFO tags of
 RIFFVIDEO.CPP

git-svn-id: svn://dev.exiv2.org/svn/trunk@3264 b7c8b350-86e7-0310-a4b4-de8f6a8f16a3
---
 src/riffvideo.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/riffvideo.cpp b/src/riffvideo.cpp
index 4545bc3..0dcd291 100644
--- a/src/riffvideo.cpp
+++ b/src/riffvideo.cpp
@@ -856,7 +856,7 @@ namespace Exiv2 {
 
     void RiffVideo::infoTagsHandler()
     {
-        const long bufMinSize = 100;
+        const long bufMinSize = 10000;
         DataBuf buf(bufMinSize);
         buf.pData_[4] = '\0';
         io_->seek(-12, BasicIo::cur);
@@ -879,10 +879,14 @@ namespace Exiv2 {
             if(infoSize >= 0) {
                 size -= infoSize;
                 io_->read(buf.pData_, infoSize);
+                if(infoSize < 4)
+                    buf.pData_[infoSize] = '\0';
             }
 
             if(tv)
                 xmpData_[exvGettext(tv->label_)] = buf.pData_;
+            else
+                continue;
         }
         io_->seek(cur_pos + size_external, BasicIo::beg);
     } // RiffVideo::infoTagsHandler
-- 
2.1.4

Attachment: signature.asc
Description: Digital signature

Reply via email to