3 https://bugzilla.redhat.com/show_bug.cgi?id=1366239
4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
6 Patch copied from upstream source repository:
8 https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d
10 From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
11 From: Marcus Meissner <marcus@jet.franken.de>
12 Date: Tue, 25 Jul 2017 23:44:44 +0200
13 Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
17 https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
19 libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
20 1 file changed, 13 insertions(+), 3 deletions(-)
22 diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
23 index d03d159..ea0429a 100644
24 --- a/libexif/pentax/mnote-pentax-entry.c
25 +++ b/libexif/pentax/mnote-pentax-entry.c
26 @@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
27 case EXIF_FORMAT_SHORT:
29 const unsigned char *data = entry->data;
30 - size_t k, len = strlen(val);
31 + size_t k, len = strlen(val), sizeleft;
33 + sizeleft = entry->size;
34 for(k=0; k<entry->components; k++) {
37 vs = exif_get_short (data, entry->order);
38 snprintf (val+len, maxlen-len, "%i ", vs);
45 case EXIF_FORMAT_LONG:
47 const unsigned char *data = entry->data;
48 - size_t k, len = strlen(val);
49 + size_t k, len = strlen(val), sizeleft;
51 + sizeleft = entry->size;
52 for(k=0; k<entry->components; k++) {
55 vl = exif_get_long (data, entry->order);
56 snprintf (val+len, maxlen-len, "%li", (long int) vl);
63 @@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,