diff options
Diffstat (limited to 'meta/recipes-support/libexif/libexif/CVE-2020-13114.patch')
-rw-r--r-- | meta/recipes-support/libexif/libexif/CVE-2020-13114.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch new file mode 100644 index 0000000000..06b8b46c21 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001 | ||
2 | From: Dan Fandrich <dan@coneharvesters.com> | ||
3 | Date: Sat, 16 May 2020 19:32:30 +0200 | ||
4 | Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote | ||
5 | |||
6 | subtags. | ||
7 | |||
8 | A malicious file could be crafted to cause extremely large values in some | ||
9 | tags without tripping any buffer range checks. This is bad with the libexif | ||
10 | representation of Canon MakerNotes because some arrays are turned into | ||
11 | individual tags that the application must loop around. | ||
12 | |||
13 | The largest value I've seen for failsafe_size in a (very small) sample of valid | ||
14 | Canon files is <5000. The limit is set two orders of magnitude larger to avoid | ||
15 | tripping up falsely in case some models use much larger values. | ||
16 | |||
17 | Patch from Google. | ||
18 | |||
19 | CVE-2020-13114 | ||
20 | |||
21 | Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab] | ||
22 | CVE: CVE-2020-13114 | ||
23 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
24 | --- | ||
25 | libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++ | ||
26 | 1 file changed, 21 insertions(+) | ||
27 | |||
28 | diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c | ||
29 | index eb53598..72fd7a3 100644 | ||
30 | --- a/libexif/canon/exif-mnote-data-canon.c | ||
31 | +++ b/libexif/canon/exif-mnote-data-canon.c | ||
32 | @@ -32,6 +32,9 @@ | ||
33 | |||
34 | #define DEBUG | ||
35 | |||
36 | +/* Total size limit to prevent abuse by DoS */ | ||
37 | +#define FAILSAFE_SIZE_MAX 1000000L | ||
38 | + | ||
39 | static void | ||
40 | exif_mnote_data_canon_clear (ExifMnoteDataCanon *n) | ||
41 | { | ||
42 | @@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, | ||
43 | ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; | ||
44 | ExifShort c; | ||
45 | size_t i, tcount, o, datao; | ||
46 | + long failsafe_size = 0; | ||
47 | |||
48 | if (!n || !buf || !buf_size) { | ||
49 | exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, | ||
50 | @@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, | ||
51 | memcpy (n->entries[tcount].data, buf + dataofs, s); | ||
52 | } | ||
53 | |||
54 | + /* Track the size of decoded tag data. A malicious file could | ||
55 | + * be crafted to cause extremely large values here without | ||
56 | + * tripping any buffer range checks. This is especially bad | ||
57 | + * with the libexif representation of Canon MakerNotes because | ||
58 | + * some arrays are turned into individual tags that the | ||
59 | + * application must loop around. */ | ||
60 | + failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); | ||
61 | + | ||
62 | + if (failsafe_size > FAILSAFE_SIZE_MAX) { | ||
63 | + /* Abort if the total size of the data in the tags extraordinarily large, */ | ||
64 | + exif_mem_free (ne->mem, n->entries[tcount].data); | ||
65 | + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, | ||
66 | + "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", | ||
67 | + failsafe_size, FAILSAFE_SIZE_MAX); | ||
68 | + break; | ||
69 | + } | ||
70 | + | ||
71 | /* Tag was successfully parsed */ | ||
72 | ++tcount; | ||
73 | } | ||