diff options
Diffstat (limited to 'graphics/libexif/files')
| -rw-r--r-- | graphics/libexif/files/patch-CVE-2019-9278 | 86 | ||||
| -rw-r--r-- | graphics/libexif/files/patch-chromium-7344-and-14543 | 35 | ||||
| -rw-r--r-- | graphics/libexif/files/patch-chromium-8884 | 24 |
3 files changed, 145 insertions, 0 deletions
diff --git a/graphics/libexif/files/patch-CVE-2019-9278 b/graphics/libexif/files/patch-CVE-2019-9278 new file mode 100644 index 000000000000..ac5e3f80b7d9 --- /dev/null +++ b/graphics/libexif/files/patch-CVE-2019-9278 @@ -0,0 +1,86 @@ +https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch +From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <meissner@suse.de> +Date: Sat, 18 Jan 2020 09:29:42 +0100 +Subject: [PATCH] fix CVE-2019-9278 + +avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) + +check for the actual sizes, which should also handle the overflows +document other places google patched, but do not seem relevant due to other restrictions + +fixes https://github.com/libexif/libexif/issues/26 +--- + libexif/exif-data.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git libexif/exif-data.c libexif/exif-data.c +index a6f9c94..6332cd1 100644 +--- libexif/exif-data.c ++++ libexif/exif-data.c +@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, + doff = offset + 8; + + /* Sanity checks */ +- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { ++ if (doff >= size) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Tag data past end of buffer (%u > %u)", doff+s, size); ++ "Tag starts past end of buffer (%u > %u)", doff, size); ++ return 0; ++ } ++ ++ if (s > size - doff) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", ++ "Tag data goes past end of buffer (%u > %u)", doff+s, size); + return 0; + } + +@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, + unsigned int ds, ExifLong o, ExifLong s) + { + /* Sanity checks */ +- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { +- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +- "Bogus thumbnail offset (%u) or size (%u).", +- o, s); ++ if (o >= ds) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); ++ return; ++ } ++ if (s > ds - o) { ++ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); + return; + } +- + if (data->data) + exif_mem_free (data->priv->mem, data->data); + if (!(data->data = exif_data_alloc (data, s))) { +@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 0 at %i.", (int) offset); + +- /* Sanity check the offset, being careful about overflow */ ++ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */ + if (offset > ds || offset + 6 + 2 > ds) + return; + +@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + + /* IFD 1 offset */ + n = exif_get_short (d + 6 + offset, data->priv->order); ++ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */ + if (offset + 6 + 2 + 12 * n + 4 > ds) + return; + +@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 1 at %i.", (int) offset); + +- /* Sanity check. */ +- if (offset > ds || offset + 6 > ds) { ++ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */ ++ if (offset > ds - 6) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifData", "Bogus offset of IFD1."); + } else { diff --git a/graphics/libexif/files/patch-chromium-7344-and-14543 b/graphics/libexif/files/patch-chromium-7344-and-14543 new file mode 100644 index 000000000000..4196d6ac9719 --- /dev/null +++ b/graphics/libexif/files/patch-chromium-7344-and-14543 @@ -0,0 +1,35 @@ +https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff.patch +From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001 +From: Dan Fandrich <dan@coneharvesters.com> +Date: Wed, 4 Jul 2018 11:06:09 +0200 +Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value + +While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past +the end of a heap buffer. This was detected by the OSS Fuzz project. +Patch from Google. + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543 +--- + libexif/exif-entry.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git libexif/exif-entry.c libexif/exif-entry.c +index 61260d3..a224ac2 100644 +--- libexif/exif-entry.c ++++ libexif/exif-entry.c +@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + d = 0.; + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); +- if (entry && entry->data && ++ if (entry && entry->data && entry->size >= 7 && + !strncmp ((char *)entry->data, "Minolta", 7)) { + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], + EXIF_TAG_MODEL); +- if (entry && entry->data) { ++ if (entry && entry->data && entry->size >= 8) { + if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) + d = 3.9; + else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) diff --git a/graphics/libexif/files/patch-chromium-8884 b/graphics/libexif/files/patch-chromium-8884 new file mode 100644 index 000000000000..55673b941971 --- /dev/null +++ b/graphics/libexif/files/patch-chromium-8884 @@ -0,0 +1,24 @@ +https://github.com/libexif/libexif/commit/a0c04d9cb6ab0c41a6458def9f892754e84160a0.patch +From a0c04d9cb6ab0c41a6458def9f892754e84160a0 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner <marcus@jet.franken.de> +Date: Sat, 15 Jun 2019 18:40:48 +0200 +Subject: [PATCH] fixed a buffer overread (OSS-Fuzz) + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8884 + +--- + libexif/olympus/exif-mnote-data-olympus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git libexif/olympus/exif-mnote-data-olympus.c libexif/olympus/exif-mnote-data-olympus.c +index dac7f5b..669e4ec 100644 +--- libexif/olympus/exif-mnote-data-olympus.c ++++ libexif/olympus/exif-mnote-data-olympus.c +@@ -344,7 +344,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, + + case nikonV2: + o2 += 6; +- if (o2 >= buf_size) return; ++ if (o2 + 8 >= buf_size) return; + exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus", + "Parsing Nikon maker note v2 (0x%02x, %02x, %02x, " + "%02x, %02x, %02x, %02x, %02x)...", |