A flaw was found in Exiv2 0.26. There is an integer wraparound leading to a heap-based buffer over-read in the Exiv2::getULong function in types.cpp, called while parsing an ICC profile. Remote attackers can exploit the vulnerability to cause a denial of service via a crafted JP2 image file.
Created exiv2 tracking bugs for this issue:
Affects: fedora-all [bug 1545233]
It is important to note that without AddressSanitizer enabled, the out of bound read in Exiv2::getULong does not have impact, since it is at most 4 bytes, however another out of bound read in Jp2Image::readMetadata function is triggered by the same public POC, which could crash the program or leak data.
This issue did not affect the versions of Exiv2 as shipped with Red Hat Enterprise Linux 6 and 7 as they did not include support for ICC profiles.