35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 5ae5973bed1947f4d447dc80b76d5cefadd90133 Mon Sep 17 00:00:00 2001
|
|
From: Marcus Meissner <marcus@jet.franken.de>
|
|
Date: Sat, 16 May 2020 16:47:42 +0200
|
|
Subject: [PATCH] libexif: Fix read buffer overflow (CVE-2020-0093)
|
|
|
|
Make sure the number of bytes being copied from doesn't exceed the
|
|
source buffer size.
|
|
|
|
From Android repo:
|
|
https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6%5E%21/#F0
|
|
|
|
Test: testPocBug_148705132
|
|
Bug: 148705132
|
|
|
|
fixes https://github.com/libexif/libexif/issues/42
|
|
---
|
|
libexif/exif-data.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
|
|
index 6332cd1a..65ae93d5 100644
|
|
--- a/libexif/exif-data.c
|
|
+++ b/libexif/exif-data.c
|
|
@@ -308,7 +308,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
|
|
/* Write the data. Fill unneeded bytes with 0. Do not crash with
|
|
* e->data is NULL */
|
|
if (e->data) {
|
|
- memcpy (*d + 6 + doff, e->data, s);
|
|
+ unsigned int len = s;
|
|
+ if (e->size < s) len = e->size;
|
|
+ memcpy (*d + 6 + doff, e->data, len);
|
|
} else {
|
|
memset (*d + 6 + doff, 0, s);
|
|
}
|