libexif/CVE-2020-0452.patch
DistroBaker 38bbe202fe Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libexif.git#3a936dfbb3d20ecb81e2ebcfe6328ff6c18af27d
2020-11-09 16:09:58 +00:00

33 lines
1.1 KiB
Diff

From 9266d14b5ca4e29b970fa03272318e5f99386e06 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Thu, 5 Nov 2020 09:50:08 +0100
Subject: [PATCH] fixed a incorrect overflow check that could be optimized
away.
inspired by:
https://android.googlesource.com/platform/external/libexif/+/8e7345f3bc0bad06ac369d6cbc1124c8ceaf7d4b
https://source.android.com/security/bulletin/2020-11-01
CVE-2020-0452
---
NEWS | 3 ++-
libexif/exif-entry.c | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 3fc0ff9..4b866ce 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -1371,8 +1371,8 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
{
unsigned char *utf16;
- /* Sanity check the size to prevent overflow */
- if (e->size+sizeof(uint16_t)+1 < e->size) break;
+ /* Sanity check the size to prevent overflow. Note EXIF files are 64kb at most. */
+ if (e->size >= 65536 - sizeof(uint16_t)*2) break;
/* The tag may not be U+0000-terminated , so make a local
U+0000-terminated copy before converting it */