gnu/packages/patches/libexif-CVE-2016-6328.patch

   1 Fix CVE-2016-6328:
   2
   3 https://bugzilla.redhat.com/show_bug.cgi?id=1366239
   4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6328
   5
   6 Patch copied from upstream source repository:
   7
   8 https://github.com/libexif/libexif/commit/41bd04234b104312f54d25822f68738ba8d7133d
   9
  10 From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
  11 From: Marcus Meissner <marcus@jet.franken.de>
  12 Date: Tue, 25 Jul 2017 23:44:44 +0200
  13 Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
  14  makernote entries.
  15
  16 This should fix:
  17 https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
  18 ---
  19  libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
  20  1 file changed, 13 insertions(+), 3 deletions(-)
  21
  22 diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
  23 index d03d159..ea0429a 100644
  24 --- a/libexif/pentax/mnote-pentax-entry.c
  25 +++ b/libexif/pentax/mnote-pentax-entry.c
  26 @@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
  27                 case EXIF_FORMAT_SHORT:
  28                   {
  29                         const unsigned char *data = entry->data;
  30 -                       size_t k, len = strlen(val);
  31 +                       size_t k, len = strlen(val), sizeleft;
  32 +
  33 +                       sizeleft = entry->size;
  34                         for(k=0; k<entry->components; k++) {
  35 +                               if (sizeleft < 2)
  36 +                                       break;
  37                                 vs = exif_get_short (data, entry->order);
  38                                 snprintf (val+len, maxlen-len, "%i ", vs);
  39                                 len = strlen(val);
  40                                 data += 2;
  41 +                               sizeleft -= 2;
  42                         }
  43                   }
  44                   break;
  45                 case EXIF_FORMAT_LONG:
  46                   {
  47                         const unsigned char *data = entry->data;
  48 -                       size_t k, len = strlen(val);
  49 +                       size_t k, len = strlen(val), sizeleft;
  50 +
  51 +                       sizeleft = entry->size;
  52                         for(k=0; k<entry->components; k++) {
  53 +                               if (sizeleft < 4)
  54 +                                       break;
  55                                 vl = exif_get_long (data, entry->order);
  56                                 snprintf (val+len, maxlen-len, "%li", (long int) vl);
  57                                 len = strlen(val);
  58                                 data += 4;
  59 +                               sizeleft -= 4;
  60                         }
  61                   }
  62                   break;
  63 @@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
  64                 break;
  65         }
  66
  67 -       return (val);
  68 +       return val;
  69  }
  70 --
  71 2.16.0
  72