From dc2dfee2558365ca0eaa3289fb6a3243b2dec6e3 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 8 Aug 2020 12:35:18 +0800 Subject: [PATCH] fix large loop in func exif_loader_get_data --- ...x-large-loop-in-exif_loader_get_data.patch | 28 +++++++++++++++++++ libexif.spec | 9 +++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 libexif-bugfix-large-loop-in-exif_loader_get_data.patch diff --git a/libexif-bugfix-large-loop-in-exif_loader_get_data.patch b/libexif-bugfix-large-loop-in-exif_loader_get_data.patch new file mode 100644 index 0000000..9109339 --- /dev/null +++ b/libexif-bugfix-large-loop-in-exif_loader_get_data.patch @@ -0,0 +1,28 @@ +From cdf1e32cb71c22c3df5d806d74384b3189008a47 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sun, 17 May 2020 10:20:15 +0200 +Subject: [PATCH] handle illegal offsets earlier + +Bail out if an offset runs over the datasize. + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2 +--- + libexif/exif-data.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libexif/exif-data.c b/libexif/exif-data.c +index 65ae93d..8b280d3 100644 +--- a/libexif/exif-data.c ++++ b/libexif/exif-data.c +@@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, + case EXIF_TAG_JPEG_INTERCHANGE_FORMAT: + o = exif_get_long (d + offset + 12 * i + 8, + data->priv->order); ++ if (o >= ds) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", ++ "Tag data past end of buffer (%u > %u)", offset+2, ds); ++ return; ++ } + /* FIXME: IFD_POINTER tags aren't marked as being in a + * specific IFD, so exif_tag_get_name_in_ifd won't work + */ diff --git a/libexif.spec b/libexif.spec index 2be61e8..06aaadc 100644 --- a/libexif.spec +++ b/libexif.spec @@ -1,7 +1,7 @@ Name: libexif Summary: Library for extracting extra information from image files Version: 0.6.21 -Release: 20 +Release: 21 License: LGPLv2+ URL: https://libexif.github.io/ Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2 @@ -13,6 +13,7 @@ Patch6003: libexif-bugfix-division-0.patch Patch6004: libexif-bugfix-integer-overflow.patch Patch6005: libexif-bugfix-unsigned-int.patch Patch6006: libexif-bugfix-overflow.patch +Patch6007: libexif-bugfix-large-loop-in-exif_loader_get_data.patch Patch9001: libexif-bugfix-integer-overflow-pentax.patch BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig git @@ -71,6 +72,12 @@ make check %doc libexif-api.html NEWS %changelog +* Fri Aug 7 2020 yanan - 0.6.21-21 +- Type:bugfix +- Id:NA +- SUG:NA +- DESC:handle large loop in func exif_loader_get_data + * Tue Mar 10 2020 songnannan - 0.6.21-20 - bugfix in oss-fuzz