1 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
new file mode 100644
index 0000000000..a6f307439b
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2016-6328
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Tue, 25 Jul 2017 23:44:44 +0200
+Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
+ makernote entries.
+This should fix:
+https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
+---
+ libexif/pentax/mnote-pentax-entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index d03d159..ea0429a 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+                case EXIF_FORMAT_SHORT:
+                  {
+                        const unsigned char *data = entry->data;
+-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
+                        for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 2)
+                                       break;
+                                vs = exif_get_short (data, entry->order);
+                                snprintf (val+len, maxlen-len, "%i ", vs);
+                                len = strlen(val);
+                                data += 2;
+                               sizeleft -= 2;
+                        }
+                  }
+                  break;
+                case EXIF_FORMAT_LONG:
+                  {
+                        const unsigned char *data = entry->data;
+-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
+                        for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 4)
+                                       break;
+                                vl = exif_get_long (data, entry->order);
+                                snprintf (val+len, maxlen-len, "%li", (long int) vl);
+                                len = strlen(val);
+                                data += 4;
+                               sizeleft -= 4;
+                        }
+                  }
+                  break;
+@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+                break;
+        }
+ 
+-       return (val);
+       return val;
+ }

diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch new file mode 100644 index 0000000000..a6f307439b --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
@@ -0,0 +1,64 @@
	1	CVE: CVE-2016-6328
	2	Upstream-Status: Backport
	3	Signed-off-by: Ross Burton <ross.burton@intel.com>
	4
	5	From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
	6	From: Marcus Meissner <marcus@jet.franken.de>
	7	Date: Tue, 25 Jul 2017 23:44:44 +0200
	8	Subject: [PATCH] fixes some (not all) buffer overreads during decoding pentax
	9	makernote entries.
	10
	11	This should fix:
	12	https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
	13	---
	14	libexif/pentax/mnote-pentax-entry.c \| 16 +++++++++++++---
	15	1 file changed, 13 insertions(+), 3 deletions(-)
	16
	17	diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
	18	index d03d159..ea0429a 100644
	19	--- a/libexif/pentax/mnote-pentax-entry.c
	20	+++ b/libexif/pentax/mnote-pentax-entry.c
	21	@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
	22	case EXIF_FORMAT_SHORT:
	23	{
	24	const unsigned char *data = entry->data;
	25	- size_t k, len = strlen(val);
	26	+ size_t k, len = strlen(val), sizeleft;
	27	+
	28	+ sizeleft = entry->size;
	29	for(k=0; k<entry->components; k++) {
	30	+ if (sizeleft < 2)
	31	+ break;
	32	vs = exif_get_short (data, entry->order);
	33	snprintf (val+len, maxlen-len, "%i ", vs);
	34	len = strlen(val);
	35	data += 2;
	36	+ sizeleft -= 2;
	37	}
	38	}
	39	break;
	40	case EXIF_FORMAT_LONG:
	41	{
	42	const unsigned char *data = entry->data;
	43	- size_t k, len = strlen(val);
	44	+ size_t k, len = strlen(val), sizeleft;
	45	+
	46	+ sizeleft = entry->size;
	47	for(k=0; k<entry->components; k++) {
	48	+ if (sizeleft < 4)
	49	+ break;
	50	vl = exif_get_long (data, entry->order);
	51	snprintf (val+len, maxlen-len, "%li", (long int) vl);
	52	len = strlen(val);
	53	data += 4;
	54	+ sizeleft -= 4;
	55	}
	56	}
	57	break;
	58	@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
	59	break;
	60	}
	61
	62	- return (val);
	63	+ return val;
	64	}