A CiffDirectory::readDirectory integer overflow and out-of-bounds read in Exiv2 through 0.27.1 allows an attacker to cause a denial of service (SIGSEGV) via a crafted CRW image file.
Created exiv2 tracking bugs for this issue:
Affects: fedora-all [bug 1728487]
https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967 [master branch]
https://github.com/Exiv2/exiv2/commit/c0ecc2ae36f34462be98623deb85ba1747ae2175 [0.27-maintenance branch]
This issue did not affect the versions of exiv2 as shipped with Red Hat Enterprise Linux 8 as they did not include the vulnerable code.
Function CiffDirectory::readDirectory() in crwimage.cpp checks whether the value `o` read from the image is valid, however the check is performed as `if (o + 2 > size)`, which could be bypassed when `o + 2` wraps around. This leads to an out-of-bound read when reading the `count` value.
*** Bug 1988977 has been marked as a duplicate of this bug. ***