View | Details | Raw Unified | Return to bug 244060 | Differences between
and this patch

Collapse All | Expand All

(-)graphics/libexif/Makefile (-1 / +1 lines)
Lines 3-9 Link Here
3
3
4
PORTNAME=	libexif
4
PORTNAME=	libexif
5
PORTVERSION=	0.6.21
5
PORTVERSION=	0.6.21
6
PORTREVISION=	4
6
PORTREVISION=	5
7
CATEGORIES=	graphics
7
CATEGORIES=	graphics
8
MASTER_SITES=	SF
8
MASTER_SITES=	SF
9
9
(-)graphics/libexif/files/patch-CVE-2019-9278 (+86 lines)
Line 0 Link Here
1
https://github.com/libexif/libexif/commit/75aa73267fdb1e0ebfbc00369e7312bac43d0566.patch
2
From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
3
From: Marcus Meissner <meissner@suse.de>
4
Date: Sat, 18 Jan 2020 09:29:42 +0100
5
Subject: [PATCH] fix CVE-2019-9278
6
7
avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
8
9
check for the actual sizes, which should also handle the overflows
10
document other places google patched, but do not seem relevant due to other restrictions
11
12
fixes https://github.com/libexif/libexif/issues/26
13
---
14
 libexif/exif-data.c | 28 ++++++++++++++++++----------
15
 1 file changed, 18 insertions(+), 10 deletions(-)
16
17
diff --git libexif/exif-data.c libexif/exif-data.c
18
index a6f9c94..6332cd1 100644
19
--- libexif/exif-data.c
20
+++ libexif/exif-data.c
21
@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
22
 		doff = offset + 8;
23
 
24
 	/* Sanity checks */
25
-	if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
26
+	if (doff >= size) {
27
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
28
-				  "Tag data past end of buffer (%u > %u)", doff+s, size);	
29
+				  "Tag starts past end of buffer (%u > %u)", doff, size);
30
+		return 0;
31
+	}
32
+
33
+	if (s > size - doff) {
34
+		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
35
+				  "Tag data goes past end of buffer (%u > %u)", doff+s, size);
36
 		return 0;
37
 	}
38
 
39
@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
40
 			       unsigned int ds, ExifLong o, ExifLong s)
41
 {
42
 	/* Sanity checks */
43
-	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
44
-		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
45
-			  "Bogus thumbnail offset (%u) or size (%u).",
46
-			  o, s);
47
+	if (o >= ds) {
48
+		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
49
+		return;
50
+	}
51
+	if (s > ds - o) {
52
+		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
53
 		return;
54
 	}
55
-
56
 	if (data->data) 
57
 		exif_mem_free (data->priv->mem, data->data);
58
 	if (!(data->data = exif_data_alloc (data, s))) {
59
@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
60
 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
61
 		  "IFD 0 at %i.", (int) offset);
62
 
63
-	/* Sanity check the offset, being careful about overflow */
64
+	/* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
65
 	if (offset > ds || offset + 6 + 2 > ds)
66
 		return;
67
 
68
@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
69
 
70
 	/* IFD 1 offset */
71
 	n = exif_get_short (d + 6 + offset, data->priv->order);
72
+	/* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
73
 	if (offset + 6 + 2 + 12 * n + 4 > ds)
74
 		return;
75
 
76
@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
77
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
78
 			  "IFD 1 at %i.", (int) offset);
79
 
80
-		/* Sanity check. */
81
-		if (offset > ds || offset + 6 > ds) {
82
+		/* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
83
+		if (offset > ds - 6) {
84
 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
85
 				  "ExifData", "Bogus offset of IFD1.");
86
 		} else {
(-)graphics/libexif/files/patch-chromium-7344-and-14543 (+35 lines)
Line 0 Link Here
1
https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff.patch
2
From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
3
From: Dan Fandrich <dan@coneharvesters.com>
4
Date: Wed, 4 Jul 2018 11:06:09 +0200
5
Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
6
7
While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
8
the end of a heap buffer. This was detected by the OSS Fuzz project.
9
Patch from Google.
10
11
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
12
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
13
---
14
 libexif/exif-entry.c | 4 ++--
15
 1 file changed, 2 insertions(+), 2 deletions(-)
16
17
diff --git libexif/exif-entry.c libexif/exif-entry.c
18
index 61260d3..a224ac2 100644
19
--- libexif/exif-entry.c
20
+++ libexif/exif-entry.c
21
@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
22
 		d = 0.;
23
 		entry = exif_content_get_entry (
24
 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
25
-		if (entry && entry->data &&
26
+		if (entry && entry->data && entry->size >= 7 &&
27
 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
28
 			entry = exif_content_get_entry (
29
 					e->parent->parent->ifd[EXIF_IFD_0],
30
 					EXIF_TAG_MODEL);
31
-			if (entry && entry->data) {
32
+			if (entry && entry->data && entry->size >= 8) {
33
 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
34
 					d = 3.9;
35
 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
(-)graphics/libexif/files/patch-chromium-8884 (+24 lines)
Line 0 Link Here
1
https://github.com/libexif/libexif/commit/a0c04d9cb6ab0c41a6458def9f892754e84160a0.patch
2
From a0c04d9cb6ab0c41a6458def9f892754e84160a0 Mon Sep 17 00:00:00 2001
3
From: Marcus Meissner <marcus@jet.franken.de>
4
Date: Sat, 15 Jun 2019 18:40:48 +0200
5
Subject: [PATCH] fixed a buffer overread (OSS-Fuzz)
6
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8884
7
8
---
9
 libexif/olympus/exif-mnote-data-olympus.c | 2 +-
10
 1 file changed, 1 insertion(+), 1 deletion(-)
11
12
diff --git libexif/olympus/exif-mnote-data-olympus.c libexif/olympus/exif-mnote-data-olympus.c
13
index dac7f5b..669e4ec 100644
14
--- libexif/olympus/exif-mnote-data-olympus.c
15
+++ libexif/olympus/exif-mnote-data-olympus.c
16
@@ -344,7 +344,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
17
 
18
 	case nikonV2:
19
 		o2 += 6;
20
-		if (o2 >= buf_size) return;
21
+		if (o2 + 8 >= buf_size) return;
22
 		exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",
23
 			"Parsing Nikon maker note v2 (0x%02x, %02x, %02x, "
24
 			"%02x, %02x, %02x, %02x, %02x)...",

Return to bug 244060