libexif/backport-CVE-2020-13114.patch

From eeec66abade83264169872acfbe14ed0e1e68d9d Mon Sep 17 00:00:00 2001
From: yangcheng1203 <yangcheng87@huawei.com>
Date: Mon, 26 Jul 2021 14:37:06 +0800
Subject: [PATCH] CVE-2020-13114

---
 libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index eb53598..3d8c790 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -32,6 +32,9 @@
 
 #define DEBUG
 
+/* Total size limit to prevent abuse by DoS */
+#define FAILSAFE_SIZE_MAX 1000000L
+
 static void
 exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
 {
@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
 	ExifShort c;
 	size_t i, tcount, o, datao;
+        long failsafe_size = 0;
 
 	if (!n || !buf || !buf_size) {
 		exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 			memcpy (n->entries[tcount].data, buf + dataofs, s);
 		}
 
+		/* Track the size of decoded tag data. A malicious file could
+		* be crafted to cause extremely large values here without
+		* tripping any buffer range checks.  This is especially bad
+		* with the libexif representation of Canon MakerNotes because
+		* some arrays are turned into individual tags that the
+		* application must loop around. */
+		failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
+
+		if (failsafe_size > FAILSAFE_SIZE_MAX) {
+			/* Abort if the total size of the data in the tags extraordinarily large, */
+			exif_mem_free (ne->mem, n->entries[tcount].data);
+			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+					  "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
+					  failsafe_size, FAILSAFE_SIZE_MAX);
+			break;
+		}
+
 		/* Tag was successfully parsed */
 		++tcount;
 	}
-- 
1.8.3.1