From 6629f03167cd6d43fbadc9358440b865ddeda07c Mon Sep 17 00:00:00 2001
From: Vchanger <chenzhen44@huawei.com>
Date: Thu, 16 Apr 2020 10:28:24 +0800
Subject: [PATCH] exiv2: fix CVE-2018-11037

---
 CVE-2018-11037.patch | 45 ++++++++++++++++++++++++++++++++++++++++++++
 exiv2.spec           |  9 ++++++++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2018-11037.patch

diff --git a/CVE-2018-11037.patch b/CVE-2018-11037.patch
new file mode 100644
index 0000000..a5250fb
--- /dev/null
+++ b/CVE-2018-11037.patch
@@ -0,0 +1,45 @@
+From e40c9c148e4d2135d0d732b8dff994a9afde3394 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Fri, 6 Jul 2018 11:51:55 +0200
+Subject: [PATCH] Remove buffer overread in tExtToDataBuf
+
+The pointer p is advanced in the while loop to step over three '\n'.
+However, its length is never reduced accordingly. => the length check in the
+following for loop is invalid, as it permits overreading by the number of
+characters that p was advanced by.
+---
+ src/pngimage.cpp | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/pngimage.cpp b/src/pngimage.cpp
+index dc623c4..a99a20b 100644
+--- a/src/pngimage.cpp
++++ b/src/pngimage.cpp
+@@ -160,12 +160,21 @@ namespace Exiv2 {
+         }
+ 
+         // calculate length and allocate result;
++        // count: number of \n in the header
+         long        count=0;
++        // p points to the current position in the array bytes
+         const byte* p = bytes ;
+-        // header is \nsomething\n number\n hex
+-        while ( count < 3 )
+-            if ( *p++ == '\n' )
++
++        // header is '\nsomething\n number\n hex'
++        // => increment p until it points to the byte after the last \n
++        //    p must stay within bounds of the bytes array!
++        while ((count < 3) && (p - bytes < length)) {
++            // length is later used for range checks of p => decrement it for each increment of p
++            --length;
++            if ( *p++ == '\n' ) {
+                 count++;
++            }
++        }
+         for ( long i = 0 ; i < length ; i++ )
+             if ( value[p[i]] )
+                 ++count;
+-- 
+1.8.3.1
+
diff --git a/exiv2.spec b/exiv2.spec
index 3e35487..2a5ea99 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -1,6 +1,6 @@
 Name:    exiv2
 Version: 0.26
-Release: 17
+Release: 18
 Summary: Exif, IPTC and XMP metadata and the ICC Profile
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -53,6 +53,7 @@ Patch6020: CVE-2018-17581.patch
 Patch6021: CVE-2019-13110-Avoid-integer-overflow.patch
 Patch6022: CVE-2018-4868.patch
 Patch6023: backport-CVE-2018-10772.patch
+Patch6024: CVE-2018-11037.patch
 
 Provides: exiv2-libs
 Obsoletes: exiv2-libs
@@ -116,6 +117,12 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 %{_datadir}/doc/html/
 
 %changelog
+* Thu Apr 16 2020 chenzhen <chenzhen44@huawei.com> - 0.26-18
+- Type:cves
+- ID:CVE-2018-11037
+- SUG:NA
+- DESC:fix CVE-2018-11037
+
 * Wed Mar 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.26-17
 - Type:cves
 - ID:NA
-- 
Gitee