fix CVE-2020-13113 CVE-2020-13114

(cherry picked from commit 4e26abe683eea3b2e542994833a7437135a2afbb)
2021-07-26 17:27:22 +08:00 · 2021-07-26 17:27:22 +08:00 · 34a400bd1c
commit 34a400bd1c
parent b751b36c3a
3 changed files with 63 additions and 4 deletions
--- a/backport-CVE-2020-13113.patch
+++ b/backport-CVE-2020-13113.patch
--- a/backport-CVE-2020-13114.patch
+++ b/backport-CVE-2020-13114.patch
@ -0,0 +1,58 @@
+From eeec66abade83264169872acfbe14ed0e1e68d9d Mon Sep 17 00:00:00 2001
+From: yangcheng1203 <yangcheng87@huawei.com>
+Date: Mon, 26 Jul 2021 14:37:06 +0800
+Subject: [PATCH] CVE-2020-13114
+
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..3d8c790 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
+/* Total size limit to prevent abuse by DoS */
+#define FAILSAFE_SIZE_MAX 1000000L
+
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ 	ExifShort c;
+ 	size_t i, tcount, o, datao;
+        long failsafe_size = 0;
+ 
+ 	if (!n || !buf || !buf_size) {
+ 		exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 			memcpy (n->entries[tcount].data, buf + dataofs, s);
+ 		}
+ 
+		/* Track the size of decoded tag data. A malicious file could
+		* be crafted to cause extremely large values here without
+		* tripping any buffer range checks.  This is especially bad
+		* with the libexif representation of Canon MakerNotes because
+		* some arrays are turned into individual tags that the
+		* application must loop around. */
+		failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
+
+		if (failsafe_size > FAILSAFE_SIZE_MAX) {
+			/* Abort if the total size of the data in the tags extraordinarily large, */
+			exif_mem_free (ne->mem, n->entries[tcount].data);
+			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+					  "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
+					  failsafe_size, FAILSAFE_SIZE_MAX);
+			break;
+		}
+
+ 		/* Tag was successfully parsed */
+ 		++tcount;
+ 	}
+-- 
+1.8.3.1
+
--- a/libexif.spec
+++ b/libexif.spec
@ -14,7 +14,8 @@ Patch6004:	libexif-bugfix-integer-overflow.patch
 Patch6005: 	libexif-bugfix-unsigned-int.patch
 Patch6006:	libexif-bugfix-overflow.patch
 Patch6007:      libexif-bugfix-large-loop-in-exif_loader_get_data.patch
-Patch6008:      CVE-2020-13113.patch
+Patch6008:      backport-CVE-2020-13113.patch
+Patch6009:      backport-CVE-2020-13114.patch
 Patch9001:	libexif-bugfix-integer-overflow-pentax.patch

 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
@ -73,11 +74,11 @@ make check
 %doc libexif-api.html NEWS

 %changelog
-* Mon Jul 26 202 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
+* Mon Jul 26 2021 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
 - Type:CVE
- Id:CVE-2020-13113
+- Id:CVE-2020-13113,CVE-2020-13114
 - SUG:NA
- DESC:fix CVE-2020-13113
+- DESC:fix CVE-2020-13113 CVE-2020-13114

 * Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21
 - Type:bugfix