A vulnerability was found in Exiv2, there is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrwimage.cpp
Created exiv2 tracking bugs for this issue:
Affects: fedora-all [bug 1729035]
https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9 [master branch]
https://github.com/Exiv2/exiv2/commit/edb4bf78ca5820f2c7a852c8f2df11e6aba45704 [0.27-maintanance branch]
This issue did not affect the versions of exiv2 as shipped with Red Hat Enterprise Linux 7, and 8 as variables MemIo::Impl::size_ and MemIo::Impl::idx_ are of type long, making it impossible to trigger the integer wraparound that would lead to an out-of-bound read.
When seeking in MemIo (code in MemIo::Impl::seek) the new position is not properly checked, thus it is possible to move the current position beyond the limits of the memory buffer. If a read is done later (code in MemIo::Impl::read) the maximum number of bytes to read is computed by subtracting the current position value from the buffer's size value. When these two values are implemented as unsigned values (e.g. size_t), the computation may wraparound and more data than what really available would be reported, making it possible to read beyond the buffer's limits.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
The flaw seems to be introduced in commit https://github.com/Exiv2/exiv2/commit/c72d16f4c402a8acc2dfe06fe3d58bf6cf99069e, where MemIo::Impl fields were changed from long to size_t.