poky/meta/recipes-support/libexif/files/CVE-2020-0198.patch - stefanberger/openbmc - Gitiles

 From ca71eda33fe8421f98fbe20eb4392473357c1c43 Mon Sep 17 00:00:00 2001
 From: Changqing Li <changqing.li@windriver.com>
 Date: Wed, 30 Dec 2020 10:22:47 +0800
 Subject: [PATCH] fixed another unsigned integer overflow

 first fixed by google in android fork,
 https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0

 (use a more generic overflow check method, also check second overflow instance.)

 https://security-tracker.debian.org/tracker/CVE-2020-0198

 Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c]
 CVE: CVE-2020-0198

 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
  libexif/exif-data.c | 10 ++++++----
  1 file changed, 6 insertions(+), 4 deletions(-)

 diff --git a/libexif/exif-data.c b/libexif/exif-data.c
 index 8b280d3..34d58fc 100644
 --- a/libexif/exif-data.c
 +++ b/libexif/exif-data.c
 @@ -47,6 +47,8 @@
  #undef JPEG_MARKER_APP1
  #define JPEG_MARKER_APP1 0xe1

 +#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
 +
  static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};

  struct _ExifDataPrivate
 @@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
  		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
  		return;
  	}
 -	if (s > ds - o) {
 +	if (CHECKOVERFLOW(o,ds,s)) {
  		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
  		return;
  	}
 @@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
  	}

  	/* Read the number of entries */
 -	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
 +	if (CHECKOVERFLOW(offset, ds, 2)) {
  		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
 -			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
 +			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
  		return;
  	}
  	n = exif_get_short (d + offset, data->priv->order);
 @@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
  	offset += 2;

  	/* Check if we have enough data. */
 -	if (offset + 12 * n > ds) {
 +	if (CHECKOVERFLOW(offset, ds, 12*n)) {
  		n = (ds - offset) / 12;
  		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
  				  "Short data; only loading %hu entries...", n);
 --
 2.17.1
	From ca71eda33fe8421f98fbe20eb4392473357c1c43 Mon Sep 17 00:00:00 2001
	From: Changqing Li <changqing.li@windriver.com>
	Date: Wed, 30 Dec 2020 10:22:47 +0800
	Subject: [PATCH] fixed another unsigned integer overflow

	first fixed by google in android fork,
	https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0

	(use a more generic overflow check method, also check second overflow instance.)

	https://security-tracker.debian.org/tracker/CVE-2020-0198

	Upstream-Status: Backport[https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c]
	CVE: CVE-2020-0198

	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	---
	libexif/exif-data.c \| 10 ++++++----
	1 file changed, 6 insertions(+), 4 deletions(-)

	diff --git a/libexif/exif-data.c b/libexif/exif-data.c
	index 8b280d3..34d58fc 100644
	--- a/libexif/exif-data.c
	+++ b/libexif/exif-data.c
	@@ -47,6 +47,8 @@
	#undef JPEG_MARKER_APP1
	#define JPEG_MARKER_APP1 0xe1

	+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) \|\| (structsize > datasize) \|\| (offset > datasize - structsize ))
	+
	static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};

	struct _ExifDataPrivate
	@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData data, const unsigned char d,
	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
	return;
	}
	- if (s > ds - o) {
	+ if (CHECKOVERFLOW(o,ds,s)) {
	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
	return;
	}
	@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
	}

	/* Read the number of entries */
	- if ((offset + 2 < offset) \|\| (offset + 2 < 2) \|\| (offset + 2 > ds)) {
	+ if (CHECKOVERFLOW(offset, ds, 2)) {
	exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
	- "Tag data past end of buffer (%u > %u)", offset+2, ds);
	+ "Tag data past end of buffer (%u+2 > %u)", offset, ds);
	return;
	}
	n = exif_get_short (d + offset, data->priv->order);
	@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
	offset += 2;

	/* Check if we have enough data. */
	- if (offset + 12 * n > ds) {
	+ if (CHECKOVERFLOW(offset, ds, 12*n)) {
	n = (ds - offset) / 12;
	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
	"Short data; only loading %hu entries...", n);
	--
	2.17.1