Add check for DataBuf.size_ in Jp2Image::readMetadata()

When parsing a subBox that is a ColorHeader, a length is extracted from the input file and fed directly into DataBuf() (which calls malloc). A crafted input file can provide arbitrarily (up to max(uint32_t)-8) large values and result in excessive memory allocation. This commit adds a check for the new size of DataBuf so that it is not larger than the remaining size of the file. This fixes Exiv2#202 aka CVE-2018-4868
a17r · Apr 25, 2018 · ce4f575 · ce4f575
1 parent 876b131
commit ce4f575
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/jp2image.cpp b/src/jp2image.cpp
@@ -272,7 +272,12 @@ namespace Exiv2
 #endif
 
                             const long pad = 3 ; // 3 padding bytes 2 0 0
-                            DataBuf data(Safe::add(subBox.length, static_cast<uint32_t>(8)));
+			    const size_t data_length = Safe::add(subBox.length, static_cast<uint32_t>(8));
+			    // data_length makes no sense if it is larger than the rest of the file
+			    if (data_length > io_->size() - io_->tell()) {
+				throw Error(58);
+			    }
+                            DataBuf data(data_length);
                             io_->read(data.pData_,data.size_);
                             const long    iccLength = getULong(data.pData_+pad, bigEndian);
                             // subtracting pad from data.size_ is safe: