libexif/CVE-2020-0181-CVE-2020-0198.patch

From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Mon, 8 Jun 2020 17:27:06 +0200
Subject: [PATCH] fixed another unsigned integer overflow

first fixed by google in android fork,
https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0

(use a more generic overflow check method, also check second overflow instance.)

https://security-tracker.debian.org/tracker/CVE-2020-0198
---
 libexif/exif-data.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 8b280d3..b495726 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -47,6 +47,8 @@
 #undef JPEG_MARKER_APP1
 #define JPEG_MARKER_APP1 0xe1
 
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
+
 static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
 
 struct _ExifDataPrivate
@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
 		return;
 	}
-	if (s > ds - o) {
+	if (CHECKOVERFLOW(o,ds,s)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
 		return;
 	}
@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 	}
 
 	/* Read the number of entries */
-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+	if (CHECKOVERFLOW(offset, ds, 2)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
+			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
 		return;
 	}
 	n = exif_get_short (d + offset, data->priv->order);
@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 	offset += 2;
 
 	/* Check if we have enough data. */
-	if (offset + 12 * n > ds) {
+	if (CHECKOVERFLOW(offset, ds, 12*n)) {
 		n = (ds - offset) / 12;
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
 				  "Short data; only loading %hu entries...", n);
Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libexif.git#3a936dfbb3d20ecb81e2ebcfe6328ff6c18af27d 2020-11-09 16:09:58 +00:00			`From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001`
			`From: Marcus Meissner <marcus@jet.franken.de>`
			`Date: Mon, 8 Jun 2020 17:27:06 +0200`
			`Subject: [PATCH] fixed another unsigned integer overflow`

			`first fixed by google in android fork,`
			`https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0`

			`(use a more generic overflow check method, also check second overflow instance.)`

			`https://security-tracker.debian.org/tracker/CVE-2020-0198`
			`---`
			`libexif/exif-data.c \| 10 ++++++----`
			`1 file changed, 6 insertions(+), 4 deletions(-)`

			`diff --git a/libexif/exif-data.c b/libexif/exif-data.c`
			`index 8b280d3..b495726 100644`
			`--- a/libexif/exif-data.c`
			`+++ b/libexif/exif-data.c`
			`@@ -47,6 +47,8 @@`
			`#undef JPEG_MARKER_APP1`
			`#define JPEG_MARKER_APP1 0xe1`

			`+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) \|\| (structsize > datasize) \|\| (offset > datasize - structsize ))`
			`+`
			`static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};`

			`struct _ExifDataPrivate`
			`@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData data, const unsigned char d,`
			`exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);`
			`return;`
			`}`
			`- if (s > ds - o) {`
			`+ if (CHECKOVERFLOW(o,ds,s)) {`
			`exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);`
			`return;`
			`}`
			`@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,`
			`}`

			`/* Read the number of entries */`
			`- if ((offset + 2 < offset) \|\| (offset + 2 < 2) \|\| (offset + 2 > ds)) {`
			`+ if (CHECKOVERFLOW(offset, ds, 2)) {`
			`exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",`
			`- "Tag data past end of buffer (%u > %u)", offset+2, ds);`
			`+ "Tag data past end of buffer (%u+2 > %u)", offset, ds);`
			`return;`
			`}`
			`n = exif_get_short (d + offset, data->priv->order);`
			`@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,`
			`offset += 2;`

			`/* Check if we have enough data. */`
			`- if (offset + 12 * n > ds) {`
			`+ if (CHECKOVERFLOW(offset, ds, 12*n)) {`
			`n = (ds - offset) / 12;`
			`exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",`
			`"Short data; only loading %hu entries...", n);`