fix fuzz test error

2022-10-18 09:00:17 +00:00 · 2022-10-18 09:00:17 +00:00 · 4398d5cca0
commit 4398d5cca0
parent 63234ee381
3 changed files with 79 additions and 2 deletions
--- a/backport-fuzz-stack-overflow.patch
+++ b/backport-fuzz-stack-overflow.patch
@ -0,0 +1,34 @@
+From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Mon, 6 Sep 2021 08:42:56 +0200
+Subject: [PATCH] replace tail recursion by direct loop, in case the compiler
+ does not translate it into a tail recursion it could be used to cause stack
+ overruns (oss-fuzz)
+
+---
+ libexif/exif-loader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
+index e376465..5c48faf 100644
+--- a/libexif/exif-loader.c
+++ b/libexif/exif-loader.c
+@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ {
+ 	unsigned int i;
+ 
+begin:
+ 	if (!eld || (len && !buf)) 
+ 		return 0;
+ 
+@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ 	 * to read all data we need. Fill it with new data.
+ 	 */
+ 	eld->b_len = 0;
+-	return exif_loader_write (eld, buf, len);
+	goto begin;
+ }
+ 
+ ExifLoader *
+-- 
+2.27.0
--- a/backport-fuzz-timeout-and-out-of-memory.patch
+++ b/backport-fuzz-timeout-and-out-of-memory.patch
@ -0,0 +1,38 @@
+From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 30 Jan 2021 14:06:08 +0100
+Subject: [PATCH] limit the amount of tags we allow in the makernote here.
+
+due to memory layout the max amount of 65536 tags could be used
+to exhaust lots of memory and time during parsing,
+as each tag can reuse the same memory range.
+
+(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
+
+This fixes OSS-FUZZ issue 27280.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
+---
+ libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
+index 45e4bc5..0c68d51 100644
+--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
+@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
+ 	c = exif_get_short (buf + o2, n->order);
+ 	o2 += 2;
+ 
+	/* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
+	 * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
+	if (c > 300) {
+		exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
+		return;
+	}
+
+ 	/* Remove any old entries */
+ 	exif_mnote_data_olympus_clear (n);
+ 
+-- 
+2.27.0
--- a/libexif.spec
+++ b/libexif.spec
@ -1,13 +1,15 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.22
-Release:        2
+Release:        3
 License:        LGPLv2+
 URL:            https://libexif.github.io/

 Source0:        https://github.com/libexif/libexif/archive/libexif-%(echo %{version} | sed "s/\./_/g")-release.tar.gz

 Patch0:         CVE-2020-0198.patch
+Patch6000:	backport-fuzz-stack-overflow.patch
+Patch6001:	backport-fuzz-timeout-and-out-of-memory.patch
 Patch9000:	libexif-bugfix-integer-overflow-pentax.patch

 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig
@ -68,7 +70,10 @@ make check
 %doc libexif-api.html NEWS

 %changelog
-* Thu Sep 10 2020 hanhui <hanhui15@huawei.com> - 0.6.21-22
+* Tue Oct 18 2022 wangkerong <wangkerong@h-partners.com> - 0.6.21-3
+- fix fuzz test error
+
+* Thu Sep 10 2020 hanhui <hanhui15@huawei.com> - 0.6.21-2
 - Type:bugfix
 - ID:NA
 - SUG:NA