summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/libexif/libexif/CVE-2020-13114.patch')
-rw-r--r--meta/recipes-support/libexif/libexif/CVE-2020-13114.patch73
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
new file mode 100644
index 0000000000..06b8b46c21
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/CVE-2020-13114.patch
@@ -0,0 +1,73 @@
1From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001
2From: Dan Fandrich <dan@coneharvesters.com>
3Date: Sat, 16 May 2020 19:32:30 +0200
4Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote
5
6 subtags.
7
8A malicious file could be crafted to cause extremely large values in some
9tags without tripping any buffer range checks. This is bad with the libexif
10representation of Canon MakerNotes because some arrays are turned into
11individual tags that the application must loop around.
12
13The largest value I've seen for failsafe_size in a (very small) sample of valid
14Canon files is <5000. The limit is set two orders of magnitude larger to avoid
15tripping up falsely in case some models use much larger values.
16
17Patch from Google.
18
19CVE-2020-13114
20
21Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab]
22CVE: CVE-2020-13114
23Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
24---
25 libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++
26 1 file changed, 21 insertions(+)
27
28diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
29index eb53598..72fd7a3 100644
30--- a/libexif/canon/exif-mnote-data-canon.c
31+++ b/libexif/canon/exif-mnote-data-canon.c
32@@ -32,6 +32,9 @@
33
34 #define DEBUG
35
36+/* Total size limit to prevent abuse by DoS */
37+#define FAILSAFE_SIZE_MAX 1000000L
38+
39 static void
40 exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
41 {
42@@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
43 ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
44 ExifShort c;
45 size_t i, tcount, o, datao;
46+ long failsafe_size = 0;
47
48 if (!n || !buf || !buf_size) {
49 exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
50@@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
51 memcpy (n->entries[tcount].data, buf + dataofs, s);
52 }
53
54+ /* Track the size of decoded tag data. A malicious file could
55+ * be crafted to cause extremely large values here without
56+ * tripping any buffer range checks. This is especially bad
57+ * with the libexif representation of Canon MakerNotes because
58+ * some arrays are turned into individual tags that the
59+ * application must loop around. */
60+ failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
61+
62+ if (failsafe_size > FAILSAFE_SIZE_MAX) {
63+ /* Abort if the total size of the data in the tags extraordinarily large, */
64+ exif_mem_free (ne->mem, n->entries[tcount].data);
65+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
66+ "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
67+ failsafe_size, FAILSAFE_SIZE_MAX);
68+ break;
69+ }
70+
71 /* Tag was successfully parsed */
72 ++tcount;
73 }