update to 0.6.24

2023-08-18 10:14:42 +08:00 · 2023-08-18 10:14:42 +08:00 · 58c20521bc
commit 58c20521bc
parent ea2ec8e883
7 changed files with 6 additions and 163 deletions
--- a/CVE-2020-0198.patch
+++ b/CVE-2020-0198.patch
@ -1,58 +0,0 @@
 From ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c Mon Sep 17 00:00:00 2001
 From: Marcus Meissner <marcus@jet.franken.de>
 Date: Mon, 8 Jun 2020 17:27:06 +0200
 Subject: [PATCH] fixed another unsigned integer overflow
 first fixed by google in android fork,
 https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
 (use a more generic overflow check method, also check second overflow instance.)
 https://security-tracker.debian.org/tracker/CVE-2020-0198
 ---
 libexif/exif-data.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/libexif/exif-data.c b/libexif/exif-data.c
 index 8b280d3..b495726 100644
 --- a/libexif/exif-data.c
 +++ b/libexif/exif-data.c
@@ -47,6 +47,8 @@
 #undef JPEG_MARKER_APP1
 #define JPEG_MARKER_APP1 0xe1
 +#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
 +
 static const unsigned char ExifHeader[] = {0x45, 0x78, 0x69, 0x66, 0x00, 0x00};
 struct _ExifDataPrivate
@@ -327,7 +329,7 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
 		return;
 	}
 -	if (s > ds - o) {
 +	if (CHECKOVERFLOW(o,ds,s)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
 		return;
 	}
@@ -420,9 +422,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 	}
 	/* Read the number of entries */
 -	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
 +	if (CHECKOVERFLOW(offset, ds, 2)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
 -			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
 +			  "Tag data past end of buffer (%u+2 > %u)", offset, ds);
 		return;
 	}
 	n = exif_get_short (d + offset, data->priv->order);
@@ -431,7 +433,7 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
 	offset += 2;
 	/* Check if we have enough data. */
 -	if (offset + 12 * n > ds) {
 +	if (CHECKOVERFLOW(offset, ds, 12*n)) {
 		n = (ds - offset) / 12;
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
 				  "Short data; only loading %hu entries...", n);
--- a/backport-fuzz-stack-overflow.patch
+++ b/backport-fuzz-stack-overflow.patch
@ -1,34 +0,0 @@
 From 49a74b371c322a1e55e242a230a7bb577ebe065b Mon Sep 17 00:00:00 2001
 From: Marcus Meissner <marcus@jet.franken.de>
 Date: Mon, 6 Sep 2021 08:42:56 +0200
 Subject: [PATCH] replace tail recursion by direct loop, in case the compiler
 does not translate it into a tail recursion it could be used to cause stack
 overruns (oss-fuzz)
 ---
 libexif/exif-loader.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
 index e376465..5c48faf 100644
 --- a/libexif/exif-loader.c
 +++ b/libexif/exif-loader.c
@@ -154,6 +154,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
 {
 	unsigned int i;
 +begin:
 	if (!eld || (len && !buf)) 
 		return 0;
@@ -310,7 +311,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
 	 * to read all data we need. Fill it with new data.
 	 */
 	eld->b_len = 0;
 -	return exif_loader_write (eld, buf, len);
 +	goto begin;
 }
 ExifLoader *
 -- 
 2.27.0
--- a/backport-fuzz-timeout-and-out-of-memory.patch
+++ b/backport-fuzz-timeout-and-out-of-memory.patch
@ -1,38 +0,0 @@
 From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
 From: Marcus Meissner <marcus@jet.franken.de>
 Date: Sat, 30 Jan 2021 14:06:08 +0100
 Subject: [PATCH] limit the amount of tags we allow in the makernote here.
 due to memory layout the max amount of 65536 tags could be used
 to exhaust lots of memory and time during parsing,
 as each tag can reuse the same memory range.
 (Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
 This fixes OSS-FUZZ issue 27280.
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
 ---
 libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
 index 45e4bc5..0c68d51 100644
 --- a/libexif/olympus/exif-mnote-data-olympus.c
 +++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
 	c = exif_get_short (buf + o2, n->order);
 	o2 += 2;
 +	/* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
 +	 * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
 +	if (c > 300) {
 +		exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
 +		return;
 +	}
 +
 	/* Remove any old entries */
 	exif_mnote_data_olympus_clear (n);
 -- 
 2.27.0
--- a/libexif-0_6_22-release.tar.gz
+++ b/libexif-0_6_22-release.tar.gz
--- a/libexif-0_6_24-release.tar.gz
+++ b/libexif-0_6_24-release.tar.gz
--- a/libexif-bugfix-integer-overflow-pentax.patch
+++ b/libexif-bugfix-integer-overflow-pentax.patch
@ -1,25 +0,0 @@
 From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001
 From: songnannan2 <songnannan2@huawei.com>
 Date: Tue, 18 Feb 2020 23:00:27 +0800
 Subject: [PATCH] bugfix about can not be represented in type int
 ---
 libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
 index dcb1560..691a2bd 100644
 --- a/libexif/pentax/mnote-pentax-entry.c
 +++ b/libexif/pentax/mnote-pentax-entry.c
@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
 			CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen);
 			CC2 (entry->components, 1, 2, val, maxlen);
 			vs = exif_get_short (entry->data, entry->order);
 -			vs2 = exif_get_short (entry->data+2, entry->order) << 16;
 +			vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16;
 			/* search the tag */
 			for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++);
 -- 
 2.19.1
--- a/libexif.spec
+++ b/libexif.spec
@ -1,17 +1,12 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
-Version:        0.6.22
+Version:        0.6.24
-Release:        3
+Release:        1
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://github.com/libexif/libexif/archive/libexif-%(echo %{version} | sed "s/\./_/g")-release.tar.gz
 Patch0:         CVE-2020-0198.patch
 Patch6000:	backport-fuzz-stack-overflow.patch
 Patch6001:	backport-fuzz-timeout-and-out-of-memory.patch
 Patch9000:	libexif-bugfix-integer-overflow-pentax.patch
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig
 %description
@ -31,7 +26,7 @@ for writing programs that use libexif.
 %package_help
 %prep
-%autosetup -n libexif-libexif-0_6_22-release -p1 
+%autosetup -n libexif-libexif-0_6_24-release -p1 
 %build
 autoreconf -fiv
@ -70,6 +65,9 @@ make check
 %doc libexif-api.html NEWS
 %changelog
 * Fri Aug 18 2023 wangqia <wangqia@uniontech.com> - 0.6.24-1
 - update to 0.6.24
 * Tue Oct 18 2022 wangkerong <wangkerong@h-partners.com> - 0.6.21-3
 - fix fuzz test error