new file mode 100644
@@ -0,0 +1,36 @@
+From 5a11c81fe8df7cb82c2b2889b1d5863b42d59cc6 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Tue, 6 Jul 2021 18:15:40 +0100
+Subject: [PATCH] Extra checking to prevent the loop counter from wrapping
+ around.
+
+CVE: CVE-2021-34334
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/1766/commits/97c4880882d87aee77809b4b6e8fb4a5558e4ca2]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/crwimage_int.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 0232867..4ccea63 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -868,12 +868,16 @@ namespace Exiv2 {
+ assert(ifdId != ifdIdNotSet);
+
+ std::string groupName(Internal::groupName(ifdId));
++ const uint32_t component_size = ciffComponent.size();
++ enforce(component_size % 2 == 0, kerCorruptedMetadata);
++ enforce(component_size/2 <= static_cast<uint32_t>(std::numeric_limits<uint16_t>::max()), kerCorruptedMetadata);
++ const uint16_t num_components = static_cast<uint16_t>(component_size/2);
+ uint16_t c = 1;
+- while (uint32_t(c)*2 < ciffComponent.size()) {
++ while (c < num_components) {
+ uint16_t n = 1;
+ ExifKey key(c, groupName);
+ UShortValue value;
+- if (ifdId == canonCsId && c == 23 && ciffComponent.size() > 50) n = 3;
++ if (ifdId == canonCsId && c == 23 && component_size >= 52) n = 3;
+ value.read(ciffComponent.pData() + c*2, n*2, byteOrder);
+ image.exifData().add(key, &value);
+ if (ifdId == canonSiId && c == 21) aperture = value.toLong();
new file mode 100644
@@ -0,0 +1,322 @@
+From fd66118143640ed248e209c18fc8f2447f1bc85e Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 7 Jul 2021 14:41:42 +0100
+Subject: [PATCH] Defensive coding changes to avoid integer overflow in loop
+ conditions.
+
+CVE: CVE-2021-34334
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/1766/commits/1b204d9b19efcff1acad56737d6483a393e24832]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/actions.cpp | 4 ++--
+ src/basicio.cpp | 9 ++++-----
+ src/convert.cpp | 10 +++++-----
+ src/exif.cpp | 2 +-
+ src/exiv2.cpp | 4 ++--
+ src/iptc.cpp | 9 ++++++---
+ src/preview.cpp | 2 +-
+ src/tags_int.cpp | 7 +++++--
+ src/tiffcomposite_int.cpp | 4 ++--
+ src/tiffvisitor_int.cpp | 6 +++---
+ src/types.cpp | 2 +-
+ src/xmp.cpp | 2 +-
+ src/xmpsidecar.cpp | 2 +-
+ 13 files changed, 34 insertions(+), 29 deletions(-)
+
+diff --git a/src/actions.cpp b/src/actions.cpp
+index a941d67..97acac7 100644
+--- a/src/actions.cpp
++++ b/src/actions.cpp
+@@ -702,8 +702,8 @@ namespace Action {
+ std::ostringstream os;
+ // #1114 - show negative values for SByte
+ if (md.typeId() == Exiv2::signedByte) {
+- for ( int c = 0 ; c < md.value().count() ; c++ ) {
+- int value = md.value().toLong(c);
++ for ( long c = 0 ; c < md.value().count() ; c++ ) {
++ long value = md.value().toLong(c);
+ os << (c?" ":"") << std::dec << (value < 128 ? value : value - 256);
+ }
+ } else {
+diff --git a/src/basicio.cpp b/src/basicio.cpp
+index b5ec43c..7b707e1 100644
+--- a/src/basicio.cpp
++++ b/src/basicio.cpp
+@@ -1800,9 +1800,10 @@ namespace Exiv2 {
+
+ // find $right
+ findDiff = false;
+- blockIndex = nBlocks - 1;
+- blockSize = p_->blocksMap_[blockIndex].getSize();
+- while ((blockIndex + 1 > 0) && right < src.size() && !findDiff) {
++ blockIndex = nBlocks;
++ while (blockIndex > 0 && right < src.size() && !findDiff) {
++ blockIndex--;
++ blockSize = p_->blocksMap_[blockIndex].getSize();
+ if(src.seek(-1 * (blockSize + right), BasicIo::end)) {
+ findDiff = true;
+ } else {
+@@ -1817,8 +1818,6 @@ namespace Exiv2 {
+ }
+ }
+ }
+- blockIndex--;
+- blockSize = (long)p_->blocksMap_[blockIndex].getSize();
+ }
+
+ // free buf
+diff --git a/src/convert.cpp b/src/convert.cpp
+index ef83a23..25fb587 100644
+--- a/src/convert.cpp
++++ b/src/convert.cpp
+@@ -545,7 +545,7 @@ namespace Exiv2 {
+ Exiv2::ExifData::iterator pos = exifData_->findKey(ExifKey(from));
+ if (pos == exifData_->end()) return;
+ if (!prepareXmpTarget(to)) return;
+- for (int i = 0; i < pos->count(); ++i) {
++ for (long i = 0; i < pos->count(); ++i) {
+ std::string value = pos->toString(i);
+ if (!pos->value().ok()) {
+ #ifndef SUPPRESS_WARNINGS
+@@ -692,7 +692,7 @@ namespace Exiv2 {
+ if (pos == exifData_->end()) return;
+ if (!prepareXmpTarget(to)) return;
+ std::ostringstream value;
+- for (int i = 0; i < pos->count(); ++i) {
++ for (long i = 0; i < pos->count(); ++i) {
+ value << static_cast<char>(pos->toLong(i));
+ }
+ (*xmpData_)[to] = value.str();
+@@ -705,7 +705,7 @@ namespace Exiv2 {
+ if (pos == exifData_->end()) return;
+ if (!prepareXmpTarget(to)) return;
+ std::ostringstream value;
+- for (int i = 0; i < pos->count(); ++i) {
++ for (long i = 0; i < pos->count(); ++i) {
+ if (i > 0) value << '.';
+ value << pos->toLong(i);
+ }
+@@ -823,7 +823,7 @@ namespace Exiv2 {
+ Exiv2::XmpData::iterator pos = xmpData_->findKey(XmpKey(from));
+ if (pos == xmpData_->end()) return;
+ std::ostringstream array;
+- for (int i = 0; i < pos->count(); ++i) {
++ for (long i = 0; i < pos->count(); ++i) {
+ std::string value = pos->toString(i);
+ if (!pos->value().ok()) {
+ #ifndef SUPPRESS_WARNINGS
+@@ -972,7 +972,7 @@ namespace Exiv2 {
+ return;
+ }
+
+- for (unsigned i = 0; i < value.length(); ++i) {
++ for (size_t i = 0; i < value.length(); ++i) {
+ if (value[i] == '.') value[i] = ' ';
+ }
+ (*exifData_)[to] = value;
+diff --git a/src/exif.cpp b/src/exif.cpp
+index 493fd20..de93980 100644
+--- a/src/exif.cpp
++++ b/src/exif.cpp
+@@ -948,7 +948,7 @@ namespace {
+ long sumToLong(const Exiv2::Exifdatum& md)
+ {
+ long sum = 0;
+- for (int i = 0; i < md.count(); ++i) {
++ for (long i = 0; i < md.count(); ++i) {
+ sum += md.toLong(i);
+ }
+ return sum;
+diff --git a/src/exiv2.cpp b/src/exiv2.cpp
+index a7c542e..09f690d 100644
+--- a/src/exiv2.cpp
++++ b/src/exiv2.cpp
+@@ -1499,7 +1499,7 @@ namespace {
+ std::string parseEscapes(const std::string& input)
+ {
+ std::string result = "";
+- for (unsigned int i = 0; i < input.length(); ++i) {
++ for (size_t i = 0; i < input.length(); ++i) {
+ char ch = input[i];
+ if (ch != '\\') {
+ result.push_back(ch);
+@@ -1526,7 +1526,7 @@ namespace {
+ result.push_back('\t');
+ break;
+ case 'u': // Escaping of unicode
+- if (input.length() - 4 > i) {
++ if (input.length() >= 4 && input.length() - 4 > i) {
+ int acc = 0;
+ for (int j = 0; j < 4; ++j) {
+ ++i;
+diff --git a/src/iptc.cpp b/src/iptc.cpp
+index 1ffc759..f823f74 100644
+--- a/src/iptc.cpp
++++ b/src/iptc.cpp
+@@ -27,6 +27,7 @@
+ #include "iptc.hpp"
+ #include "types.hpp"
+ #include "error.hpp"
++#include "enforce.hpp"
+ #include "value.hpp"
+ #include "datasets.hpp"
+ #include "jpgimage.hpp"
+@@ -350,22 +351,24 @@ namespace Exiv2 {
+
+ void IptcData::printStructure(std::ostream& out, const Slice<byte*>& bytes, uint32_t depth)
+ {
+- uint32_t i = 0;
+- while (i < bytes.size() - 3 && bytes.at(i) != 0x1c)
++ size_t i = 0;
++ while (i + 3 < bytes.size() && bytes.at(i) != 0x1c)
+ i++;
+ depth++;
+ out << Internal::indent(depth) << "Record | DataSet | Name | Length | Data" << std::endl;
+- while (i < bytes.size() - 3) {
++ while (i + 3 < bytes.size()) {
+ if (bytes.at(i) != 0x1c) {
+ break;
+ }
+ char buff[100];
+ uint16_t record = bytes.at(i + 1);
+ uint16_t dataset = bytes.at(i + 2);
++ enforce(bytes.size() - i >= 5, kerCorruptedMetadata);
+ uint16_t len = getUShort(bytes.subSlice(i + 3, bytes.size()), bigEndian);
+ sprintf(buff, " %6d | %7d | %-24s | %6d | ", record, dataset,
+ Exiv2::IptcDataSets::dataSetName(dataset, record).c_str(), len);
+
++ enforce(bytes.size() - i >= 5 + len, kerCorruptedMetadata);
+ out << buff << Internal::binaryToString(makeSlice(bytes, i + 5, i + 5 + (len > 40 ? 40 : len)))
+ << (len > 40 ? "..." : "")
+ << std::endl;
+diff --git a/src/preview.cpp b/src/preview.cpp
+index ed45566..d99a03a 100644
+--- a/src/preview.cpp
++++ b/src/preview.cpp
+@@ -809,7 +809,7 @@ namespace {
+ enforce(size_ <= static_cast<uint32_t>(io.size()), kerCorruptedMetadata);
+ DataBuf buf(size_);
+ uint32_t idxBuf = 0;
+- for (int i = 0; i < sizes.count(); i++) {
++ for (long i = 0; i < sizes.count(); i++) {
+ uint32_t offset = dataValue.toLong(i);
+ uint32_t size = sizes.toLong(i);
+ enforce(Safe::add(idxBuf, size) < size_, kerCorruptedMetadata);
+diff --git a/src/tags_int.cpp b/src/tags_int.cpp
+index f29b1e3..6f76a87 100644
+--- a/src/tags_int.cpp
++++ b/src/tags_int.cpp
+@@ -24,6 +24,7 @@
+
+ #include "convert.hpp"
+ #include "error.hpp"
++#include "enforce.hpp"
+ #include "i18n.h" // NLS support.
+
+ #include "canonmn_int.hpp"
+@@ -2173,7 +2174,9 @@ namespace Exiv2 {
+ {
+ uint16_t bit = 0;
+ uint16_t comma = 0;
+- for (uint16_t i = 0; i < value.count(); i++ ) { // for each element in value array
++ long count = value.count();
++ enforce(0 <= count && count <= std::numeric_limits<uint16_t>::max(), kerCorruptedMetadata);
++ for (uint16_t i = 0; i < count; i++ ) { // for each element in value array
+ uint16_t bits = static_cast<uint16_t>(value.toLong(i));
+ for (uint16_t b = 0; b < 16; ++b) { // for every bit
+ if (bits & (1 << b)) {
+@@ -2867,7 +2870,7 @@ namespace Exiv2 {
+ if (stringValue[19] == 'Z') {
+ stringValue = stringValue.substr(0, 19);
+ }
+- for (unsigned int i = 0; i < stringValue.length(); ++i) {
++ for (size_t i = 0; i < stringValue.length(); ++i) {
+ if (stringValue[i] == 'T') stringValue[i] = ' ';
+ if (stringValue[i] == '-') stringValue[i] = ':';
+ }
+diff --git a/src/tiffcomposite_int.cpp b/src/tiffcomposite_int.cpp
+index a6bf925..6424156 100644
+--- a/src/tiffcomposite_int.cpp
++++ b/src/tiffcomposite_int.cpp
+@@ -431,7 +431,7 @@ namespace Exiv2 {
+ return;
+ }
+ uint32_t size = 0;
+- for (int i = 0; i < pSize->count(); ++i) {
++ for (long i = 0; i < pSize->count(); ++i) {
+ size += static_cast<uint32_t>(pSize->toLong(i));
+ }
+ uint32_t offset = static_cast<uint32_t>(pValue()->toLong(0));
+@@ -488,7 +488,7 @@ namespace Exiv2 {
+ #endif
+ return;
+ }
+- for (int i = 0; i < pValue()->count(); ++i) {
++ for (long i = 0; i < pValue()->count(); ++i) {
+ const uint32_t offset = static_cast<uint32_t>(pValue()->toLong(i));
+ const byte* pStrip = pData + baseOffset + offset;
+ const uint32_t size = static_cast<uint32_t>(pSize->toLong(i));
+diff --git a/src/tiffvisitor_int.cpp b/src/tiffvisitor_int.cpp
+index 066e4fc..cca9679 100644
+--- a/src/tiffvisitor_int.cpp
++++ b/src/tiffvisitor_int.cpp
+@@ -477,7 +477,7 @@ namespace Exiv2 {
+ // create vector of signedShorts from unsignedShorts in Exif.Canon.AFInfo
+ std::vector<int16_t> ints;
+ std::vector<uint16_t> uint;
+- for (int i = 0; i < object->pValue()->count(); i++) {
++ for (long i = 0; i < object->pValue()->count(); i++) {
+ ints.push_back((int16_t) object->pValue()->toLong(i));
+ uint.push_back((uint16_t) object->pValue()->toLong(i));
+ }
+@@ -524,9 +524,9 @@ namespace Exiv2 {
+ Exiv2::Value::AutoPtr v = Exiv2::Value::create(records[i].bSigned?Exiv2::signedShort:Exiv2::unsignedShort);
+ std::ostringstream s;
+ if ( records[i].bSigned ) {
+- for ( int16_t k = 0 ; k < records[i].size ; k++ ) s << " " << ints.at(nStart++);
++ for ( uint16_t k = 0 ; k < records[i].size ; k++ ) s << " " << ints.at(nStart++);
+ } else {
+- for ( int16_t k = 0 ; k < records[i].size ; k++ ) s << " " << uint.at(nStart++);
++ for ( uint16_t k = 0 ; k < records[i].size ; k++ ) s << " " << uint.at(nStart++);
+ }
+
+ v->read(s.str());
+diff --git a/src/types.cpp b/src/types.cpp
+index 17ab051..a122640 100644
+--- a/src/types.cpp
++++ b/src/types.cpp
+@@ -612,7 +612,7 @@ namespace Exiv2 {
+ bool stringTo<bool>(const std::string& s, bool& ok)
+ {
+ std::string lcs(s); /* lowercase string */
+- for(unsigned i = 0; i < lcs.length(); i++) {
++ for(size_t i = 0; i < lcs.length(); i++) {
+ lcs[i] = std::tolower(s[i]);
+ }
+ /* handle the same values as xmp sdk */
+diff --git a/src/xmp.cpp b/src/xmp.cpp
+index d426c1e..0b7ade0 100644
+--- a/src/xmp.cpp
++++ b/src/xmp.cpp
+@@ -794,7 +794,7 @@ namespace Exiv2 {
+ || i->typeId() == xmpAlt) {
+ printNode(ns, i->tagName(), "", options);
+ meta.SetProperty(ns.c_str(), i->tagName().c_str(), 0, options);
+- for (int idx = 0; idx < i->count(); ++idx) {
++ for (long idx = 0; idx < i->count(); ++idx) {
+ const std::string item = i->tagName() + "[" + toString(idx + 1) + "]";
+ printNode(ns, item, i->toString(idx), 0);
+ meta.SetProperty(ns.c_str(), item.c_str(), i->toString(idx).c_str());
+diff --git a/src/xmpsidecar.cpp b/src/xmpsidecar.cpp
+index 3146721..4791918 100644
+--- a/src/xmpsidecar.cpp
++++ b/src/xmpsidecar.cpp
+@@ -238,7 +238,7 @@ namespace Exiv2 {
+ std::string head(reinterpret_cast<const char*>(buf + start), len - start);
+ if (head.substr(0, 5) == "<?xml") {
+ // Forward to the next tag
+- for (unsigned i = 5; i < head.size(); ++i) {
++ for (size_t i = 5; i < head.size(); ++i) {
+ if (head[i] == '<') {
+ head = head.substr(i);
+ break;
new file mode 100644
@@ -0,0 +1,35 @@
+From 95f5403e8b3a5d71241b6b9ef809f4097ad404a5 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Wed, 7 Jul 2021 16:49:24 +0100
+Subject: [PATCH] Better fix for potential integer overflow in `bytes.size() -
+ 3`.
+
+CVE: CVE-2021-34334
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/1766/commits/ee8af718983469af5a86f041b58a5f52b1cbad76]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/iptc.cpp | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/iptc.cpp b/src/iptc.cpp
+index f823f74..8e54b9c 100644
+--- a/src/iptc.cpp
++++ b/src/iptc.cpp
+@@ -351,12 +351,15 @@ namespace Exiv2 {
+
+ void IptcData::printStructure(std::ostream& out, const Slice<byte*>& bytes, uint32_t depth)
+ {
++ if (bytes.size() < 3) {
++ return;
++ }
+ size_t i = 0;
+- while (i + 3 < bytes.size() && bytes.at(i) != 0x1c)
++ while (i < bytes.size() - 3 && bytes.at(i) != 0x1c)
+ i++;
+ depth++;
+ out << Internal::indent(depth) << "Record | DataSet | Name | Length | Data" << std::endl;
+- while (i + 3 < bytes.size()) {
++ while (i < bytes.size() - 3) {
+ if (bytes.at(i) != 0x1c) {
+ break;
+ }
new file mode 100644
@@ -0,0 +1,25 @@
+From 28c81a061768f06aa88d52bf46e7195fe350c272 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Thu, 8 Jul 2021 10:46:24 +0100
+Subject: [PATCH] Type of escapeStart should be size_t.
+
+CVE: CVE-2021-34334
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/pull/1766/commits/e74d8accc431d9064589bad6cf8f17c30229523d]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/exiv2.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/exiv2.cpp b/src/exiv2.cpp
+index 09f690d..3d9fa4f 100644
+--- a/src/exiv2.cpp
++++ b/src/exiv2.cpp
+@@ -1505,7 +1505,7 @@ namespace {
+ result.push_back(ch);
+ continue;
+ }
+- int escapeStart = i;
++ size_t escapeStart = i;
+ if (!(input.length() - 1 > i)) {
+ result.push_back(ch);
+ continue;
@@ -16,6 +16,10 @@ SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source
file://CVE-2021-29623.patch \
file://CVE-2021-32617.patch \
file://CVE-2021-32815.patch \
+ file://CVE-2021-34334-1.patch \
+ file://CVE-2021-34334-2.patch \
+ file://CVE-2021-34334-3.patch \
+ file://CVE-2021-34334-4.patch \
"
SRC_URI[sha256sum] = "a79f5613812aa21755d578a297874fb59a85101e793edc64ec2c6bd994e3e778"
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-34334 Pick the patches from the PR mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../exiv2/exiv2/CVE-2021-34334-1.patch | 36 ++ .../exiv2/exiv2/CVE-2021-34334-2.patch | 322 ++++++++++++++++++ .../exiv2/exiv2/CVE-2021-34334-3.patch | 35 ++ .../exiv2/exiv2/CVE-2021-34334-4.patch | 25 ++ meta-oe/recipes-support/exiv2/exiv2_0.27.3.bb | 4 + 5 files changed, 422 insertions(+) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-34334-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-34334-2.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-34334-3.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2021-34334-4.patch