| From 47f51be021f4dfd800d4ff4630659887378baa3a Mon Sep 17 00:00:00 2001 |
| From: Dan Fandrich <dan@coneharvesters.com> |
| Date: Sat, 16 May 2020 19:32:30 +0200 |
| Subject: [PATCH] Add a failsafe on the maximum number of Canon MakerNote |
| |
| subtags. |
| |
| A malicious file could be crafted to cause extremely large values in some |
| tags without tripping any buffer range checks. This is bad with the libexif |
| representation of Canon MakerNotes because some arrays are turned into |
| individual tags that the application must loop around. |
| |
| The largest value I've seen for failsafe_size in a (very small) sample of valid |
| Canon files is <5000. The limit is set two orders of magnitude larger to avoid |
| tripping up falsely in case some models use much larger values. |
| |
| Patch from Google. |
| |
| CVE-2020-13114 |
| |
| Upstream-Status: Backport [https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab] |
| CVE: CVE-2020-13114 |
| Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> |
| --- |
| libexif/canon/exif-mnote-data-canon.c | 21 +++++++++++++++++++++ |
| 1 file changed, 21 insertions(+) |
| |
| diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c |
| index eb53598..72fd7a3 100644 |
| --- a/libexif/canon/exif-mnote-data-canon.c |
| +++ b/libexif/canon/exif-mnote-data-canon.c |
| @@ -32,6 +32,9 @@ |
| |
| #define DEBUG |
| |
| +/* Total size limit to prevent abuse by DoS */ |
| +#define FAILSAFE_SIZE_MAX 1000000L |
| + |
| static void |
| exif_mnote_data_canon_clear (ExifMnoteDataCanon *n) |
| { |
| @@ -202,6 +205,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, |
| ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne; |
| ExifShort c; |
| size_t i, tcount, o, datao; |
| + long failsafe_size = 0; |
| |
| if (!n || !buf || !buf_size) { |
| exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, |
| @@ -280,6 +284,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, |
| memcpy (n->entries[tcount].data, buf + dataofs, s); |
| } |
| |
| + /* Track the size of decoded tag data. A malicious file could |
| + * be crafted to cause extremely large values here without |
| + * tripping any buffer range checks. This is especially bad |
| + * with the libexif representation of Canon MakerNotes because |
| + * some arrays are turned into individual tags that the |
| + * application must loop around. */ |
| + failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]); |
| + |
| + if (failsafe_size > FAILSAFE_SIZE_MAX) { |
| + /* Abort if the total size of the data in the tags extraordinarily large, */ |
| + exif_mem_free (ne->mem, n->entries[tcount].data); |
| + exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, |
| + "ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)", |
| + failsafe_size, FAILSAFE_SIZE_MAX); |
| + break; |
| + } |
| + |
| /* Tag was successfully parsed */ |
| ++tcount; |
| } |