From bc407b1224d5e7f2f5545760165884f39957c2c9 Mon Sep 17 00:00:00 2001
From: linker <fandehui9@foxmail.com>
Date: Sat, 8 May 2021 16:02:06 +0800
Subject: [PATCH] fix cve-2021-29470

---
 backport-CVE-2021-29470.patch | 39 +++++++++++++++++++++++++++++++++++
 exiv2.spec                    |  9 +++++++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-29470.patch

diff --git a/backport-CVE-2021-29470.patch b/backport-CVE-2021-29470.patch
new file mode 100644
index 0000000..bd4b8b2
--- /dev/null
+++ b/backport-CVE-2021-29470.patch
@@ -0,0 +1,39 @@
+From 6628a69c036df2aa036290e6cd71767c159c79ed Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 21 Apr 2021 12:06:04 +0100
+Subject: [PATCH] Add more bounds checks in Jp2Image::encodeJp2Header
+
+---
+ src/jp2image.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 917d115..0825d99 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -626,15 +626,18 @@ namespace Exiv2
+     void Jp2Image::encodeJp2Header(const DataBuf& boxBuf,DataBuf& outBuf)
+     {
+         DataBuf output(boxBuf.size_ + iccProfile_.size_ + 100); // allocate sufficient space
+-        int     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
+-        int      inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++        long     outlen = sizeof(Jp2BoxHeader) ; // now many bytes have we written to output?
++        long     inlen = sizeof(Jp2BoxHeader) ; // how many bytes have we read from boxBuf?
++	enforce(sizeof(Jp2BoxHeader) <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
+         Jp2BoxHeader* pBox   = (Jp2BoxHeader*) boxBuf.pData_;
+-        int32_t       length = getLong((byte*)&pBox->length, bigEndian);
+-        int32_t       count  = sizeof (Jp2BoxHeader);
++        uint32_t       length = getLong((byte*)&pBox->length, bigEndian);
++	enforce(length <= static_cast<size_t>(output.size_), Exiv2::kerCorruptedMetadata);
++        uint32_t       count  = sizeof (Jp2BoxHeader);
+         char*         p      = (char*) boxBuf.pData_;
+         bool          bWroteColor = false ;
+ 
+         while ( count < length || !bWroteColor ) {
++	    enforce(sizeof(Jp2BoxHeader) <= length - count, Exiv2::kerCorruptedMetadata);
+             Jp2BoxHeader* pSubBox = (Jp2BoxHeader*) (p+count) ;
+ 
+             // copy data.  pointer could be into a memory mapped file which we will decode!
+-- 
+2.23.0
+
diff --git a/exiv2.spec b/exiv2.spec
index 8fcddd7..7b89ebb 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 24
+Release: 25
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -61,6 +61,7 @@ Patch6028: CVE-2018-9145.patch
 Patch6029: CVE-2021-3482.patch
 Patch6030: backport-CVE-2021-29457.patch
 Patch6031: backport-CVE-2021-29458.patch
+Patch6032: backport-CVE-2021-29470.patch
 
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@@ -124,6 +125,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/
 
 %changelog
+* Sat May 08 2021 wangkerong <wangkerong@huawei.com> - 0.26-25
+- Type:cve
+- ID:CVE-2021-29470
+- SUG:NA
+- DESC:fix CVE-2021-29470
+
 * Thu Apr 29 2021 wangkerong <wangkerong@huawei.com> - 0.26-24
 - Type:cves
 - ID:CVE-2021-29457 CVE-2021-29458
-- 
Gitee