packages/libexif
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-13113 CVE-2020-13114

Browse Source 
(cherry picked from commit 4e26abe683eea3b2e542994833a7437135a2afbb)
This commit is contained in:
yangcheng1203 2021-07-26 17:27:22 +08:00 committed by openeuler-sync-bot
parent b751b36c3a
commit 34a400bd1c
3 changed files with 63 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
CVE-2020-13113.patch → backport-CVE-2020-13113.patch
View File

58
backport-CVE-2020-13114.patch Normal file
View File

@ -0,0 +1,58 @@
From eeec66abade83264169872acfbe14ed0e1e68d9d Mon Sep 17 00:00:00 2001
From: yangcheng1203 <yangcheng87@huawei.com>
Date: Mon, 26 Jul 2021 14:37:06 +0800
Subject: [PATCH] CVE-2020-13114
---
libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index eb53598..3d8c790 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -32,6 +32,9 @@
#define DEBUG
+/* Total size limit to prevent abuse by DoS */
+#define FAILSAFE_SIZE_MAX 1000000L
+
static void
exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
{
@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
ExifShort c;
size_t i, tcount, o, datao;
+ long failsafe_size = 0;
if (!n || !buf || !buf_size) {
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
memcpy (n->entries[tcount].data, buf + dataofs, s);
}
+ /* Track the size of decoded tag data. A malicious file could
+ * be crafted to cause extremely large values here without
+ * tripping any buffer range checks. This is especially bad
+ * with the libexif representation of Canon MakerNotes because
+ * some arrays are turned into individual tags that the
+ * application must loop around. */
+ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
+
+ if (failsafe_size > FAILSAFE_SIZE_MAX) {
+ /* Abort if the total size of the data in the tags extraordinarily large, */
+ exif_mem_free (ne->mem, n->entries[tcount].data);
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
+ failsafe_size, FAILSAFE_SIZE_MAX);
+ break;
+ }
+
/* Tag was successfully parsed */
++tcount;
}
--
1.8.3.1

9
libexif.spec
View File

@ -14,7 +14,8 @@ Patch6004: libexif-bugfix-integer-overflow.patch
Patch6005: libexif-bugfix-unsigned-int.patch Patch6005: libexif-bugfix-unsigned-int.patch
Patch6006: libexif-bugfix-overflow.patch Patch6006: libexif-bugfix-overflow.patch
Patch6007: libexif-bugfix-large-loop-in-exif_loader_get_data.patch Patch6007: libexif-bugfix-large-loop-in-exif_loader_get_data.patch
Patch6008: CVE-2020-13113.patch Patch6008: backport-CVE-2020-13113.patch
Patch6009: backport-CVE-2020-13114.patch
Patch9001: libexif-bugfix-integer-overflow-pentax.patch Patch9001: libexif-bugfix-integer-overflow-pentax.patch
BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig git BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig git
@ -73,11 +74,11 @@ make check
%doc libexif-api.html NEWS %doc libexif-api.html NEWS
%changelog %changelog
* Mon Jul 26 202 yangcheng <yangcheng87@huawei.com> - 0.6.21-22 * Mon Jul 26 2021 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
- Type:CVE - Type:CVE
- Id:CVE-2020-13113 - Id:CVE-2020-13113,CVE-2020-13114
- SUG:NA - SUG:NA
- DESC:fix CVE-2020-13113 - DESC:fix CVE-2020-13113 CVE-2020-13114
* Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21 * Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21
- Type:bugfix - Type:bugfix