!13 [sync] PR-12: fix CVE-2020-13113 CVE-2020-13114

From: @openeuler-sync-bot
Reviewed-by: @yanan-rock
Signed-off-by: @yanan-rock

backport-CVE-2020-13113.patch

@@ -0,0 +1,63 @@
+From a4cbc451f204b8e69d1ac843f8042dea10251397 Mon Sep 17 00:00:00 2001
+From: yangcheng1203 <yangcheng87@huawei.com>
+Date: Mon, 26 Jul 2021 17:00:47 +0800
+Subject: [PATCH] CVE-2020-13113
+
+---
+ libexif/canon/exif-mnote-data-canon.c     | 1 +
+ libexif/fuji/exif-mnote-data-fuji.c       | 1 +
+ libexif/olympus/exif-mnote-data-olympus.c | 1 +
+ libexif/pentax/exif-mnote-data-pentax.c   | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..83854ad 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -233,6 +233,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 	tcount = 0;
+ 	for (i = c, o = datao; i; --i, o += 12) {
+ 		size_t s;
++		memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
+ 		if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ 			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				"ExifMnoteCanon", "Short MakerNote");
+diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
+index 9514654..efcf654 100644
+--- a/libexif/fuji/exif-mnote-data-fuji.c
++++ b/libexif/fuji/exif-mnote-data-fuji.c
+@@ -195,6 +195,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
+ 	tcount = 0;
+ 	for (i = c, o = datao; i; --i, o += 12) {
+ 		size_t s;
++		memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
+ 		if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifMnoteDataFuji", "Short MakerNote");
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 099671d..9bf0855 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
++++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -430,6 +430,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 	tcount = 0;
+ 	for (i = c, o = o2; i; --i, o += 12) {
+ 		size_t s;
++		memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
+ 		if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifMnoteOlympus", "Short MakerNote");
+diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
+index 757bb72..1de77b8 100644
+--- a/libexif/pentax/exif-mnote-data-pentax.c
++++ b/libexif/pentax/exif-mnote-data-pentax.c
+@@ -277,6 +277,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
+ 	tcount = 0;
+ 	for (i = c, o = datao; i; --i, o += 12) {
+ 		size_t s;
++		memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
+ 		if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
+ 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifMnoteDataPentax", "Short MakerNote");
+-- 
+1.8.3.1
+

backport-CVE-2020-13114.patch

@@ -0,0 +1,58 @@
+From eeec66abade83264169872acfbe14ed0e1e68d9d Mon Sep 17 00:00:00 2001
+From: yangcheng1203 <yangcheng87@huawei.com>
+Date: Mon, 26 Jul 2021 14:37:06 +0800
+Subject: [PATCH] CVE-2020-13114
+
+---
+ libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
+index eb53598..3d8c790 100644
+--- a/libexif/canon/exif-mnote-data-canon.c
++++ b/libexif/canon/exif-mnote-data-canon.c
+@@ -32,6 +32,9 @@
+ 
+ #define DEBUG
+ 
++/* Total size limit to prevent abuse by DoS */
++#define FAILSAFE_SIZE_MAX 1000000L
++
+ static void
+ exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
+ {
+@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
+ 	ExifShort c;
+ 	size_t i, tcount, o, datao;
++        long failsafe_size = 0;
+ 
+ 	if (!n || !buf || !buf_size) {
+ 		exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
+ 			memcpy (n->entries[tcount].data, buf + dataofs, s);
+ 		}
+ 
++		/* Track the size of decoded tag data. A malicious file could
++		* be crafted to cause extremely large values here without
++		* tripping any buffer range checks.  This is especially bad
++		* with the libexif representation of Canon MakerNotes because
++		* some arrays are turned into individual tags that the
++		* application must loop around. */
++		failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
++
++		if (failsafe_size > FAILSAFE_SIZE_MAX) {
++			/* Abort if the total size of the data in the tags extraordinarily large, */
++			exif_mem_free (ne->mem, n->entries[tcount].data);
++			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
++					  "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
++					  failsafe_size, FAILSAFE_SIZE_MAX);
++			break;
++		}
++
+ 		/* Tag was successfully parsed */
+ 		++tcount;
+ 	}
+-- 
+1.8.3.1
+

libexif.spec

@@ -1,7 +1,7 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.21
-Release:        21
+Release:        22
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
@@ -14,6 +14,8 @@ Patch6004:	libexif-bugfix-integer-overflow.patch
 Patch6005: 	libexif-bugfix-unsigned-int.patch
 Patch6006:	libexif-bugfix-overflow.patch
 Patch6007:      libexif-bugfix-large-loop-in-exif_loader_get_data.patch
+Patch6008:      backport-CVE-2020-13113.patch
+Patch6009:      backport-CVE-2020-13114.patch
 Patch9001:	libexif-bugfix-integer-overflow-pentax.patch
 
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
@@ -72,6 +74,12 @@ make check
 %doc libexif-api.html NEWS
 
 %changelog
+* Mon Jul 26 2021 yangcheng <yangcheng87@huawei.com> - 0.6.21-22
+- Type:CVE
+- Id:CVE-2020-13113,CVE-2020-13114
+- SUG:NA
+- DESC:fix CVE-2020-13113 CVE-2020-13114
+
 * Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21
 - Type:bugfix
 - Id:NA