!5 fix large loop in func exif_loader_get_data

Merge pull request !5 from yanan-rock/lts
2020-08-08 14:19:50 +08:00 · 2020-08-08 14:19:50 +08:00 · 5d4bf1b4a3
commit 5d4bf1b4a3
parent acc20272f6 f9ecdc2b63
2 changed files with 36 additions and 1 deletions
--- a/libexif-bugfix-large-loop-in-exif_loader_get_data.patch
+++ b/libexif-bugfix-large-loop-in-exif_loader_get_data.patch
@ -0,0 +1,28 @@
+From cdf1e32cb71c22c3df5d806d74384b3189008a47 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sun, 17 May 2020 10:20:15 +0200
+Subject: [PATCH] handle illegal offsets earlier
+
+Bail out if an offset runs over the datasize.
+
+fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2
+---
+ libexif/exif-data.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libexif/exif-data.c b/libexif/exif-data.c
+index 65ae93d..8b280d3 100644
+--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
+@@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
+ 		case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ 			o = exif_get_long (d + offset + 12 * i + 8,
+ 					   data->priv->order);
+			if (o >= ds) {
+				exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+					  "Tag data past end of buffer (%u > %u)", offset+2, ds);
+				return;
+			}
+ 			/* FIXME: IFD_POINTER tags aren't marked as being in a
+ 			 * specific IFD, so exif_tag_get_name_in_ifd won't work
+ 			 */
--- a/libexif.spec
+++ b/libexif.spec
@ -1,7 +1,7 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.21
-Release:        20
+Release:        21
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
@ -13,6 +13,7 @@ Patch6003:      libexif-bugfix-division-0.patch
 Patch6004:	libexif-bugfix-integer-overflow.patch
 Patch6005: 	libexif-bugfix-unsigned-int.patch
 Patch6006:	libexif-bugfix-overflow.patch
+Patch6007:      libexif-bugfix-large-loop-in-exif_loader_get_data.patch
 Patch9001:	libexif-bugfix-integer-overflow-pentax.patch

 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
@ -71,6 +72,12 @@ make check
 %doc libexif-api.html NEWS

 %changelog
+* Sat Aug 8 2020 yanan <yanan@huawei.com> - 0.6.21-21
+- Type:bugfix
+- Id:NA
+- SUG:NA
+- DESC:handle large loop in func exif_loader_get_data
+
 * Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 0.6.21-20
 - bugfix in oss-fuzz