exiv2: out-of-bounds read in CiffDirectory::readDirectory due to lack of size check (CVE-2019-17402)

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp, because there is no validation of the relationship of the total size to the offset and size.

References:

https://github.com/Exiv2/exiv2/issues/1019
https://github.com/Exiv2/exiv2/issues/1026
https://nvd.nist.gov/vuln/detail/CVE-2019-17402

Patch:

https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec

Affected branches:

master (a1cb55c7)
3.10-stable (243172b8)
3.9-stable (3c5375cf)
3.8-stable (bab0ca74)

Edited Dec 26, 2019 by Natanael Copa

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information