aboutsummaryrefslogtreecommitdiff
path: root/package/libexif/0002-On-saving-makernotes-make-sure-the-makernote-contain.patch
blob: 84c92593bc9e0063323f8200c1310713fe8c495f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
From c39acd1692023b26290778a02a9232c873f9d71a Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 25 Jul 2017 23:38:56 +0200
Subject: [PATCH] On saving makernotes, make sure the makernote container tags
 has a type with 1 byte components.

Fixes (at least):
	https://sourceforge.net/p/libexif/bugs/130
	https://sourceforge.net/p/libexif/bugs/129

CVE-2017-7544: libexif through 0.6.21 is vulnerable to out-of-bounds heap
read vulnerability in exif_data_save_data_entry function in
libexif/exif-data.c caused by improper length computation of the allocated
data of an ExifMnote entry which can cause denial-of-service or possibly
information disclosure.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 libexif/exif-data.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..91f4c33 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
 			e->components = e->size;
+			if (exif_format_get_size (e->format) != 1) {
+				/* e->format is taken from input code,
+				 * but we need to make sure it is a 1 byte
+				 * entity due to the multiplication below. */
+				e->format = EXIF_FORMAT_UNDEFINED;
+			}
 		}
 	}
 
-- 
2.20.1