!1 libexif: bugfix in oss-fuzz

Merge pull request !1 from orange-snn/master
2020-03-10 16:51:50 +08:00 · 2020-03-10 16:51:50 +08:00 · acc20272f6
commit acc20272f6
parent e4a47fd37f 3b673cd83c
6 changed files with 163 additions and 3 deletions
--- a/libexif-bugfix-division-0.patch
+++ b/libexif-bugfix-division-0.patch
@ -0,0 +1,37 @@
+From d66dea055522290c1ef34e3ae914146cd52b5d8e Mon Sep 17 00:00:00 2001
+From: songnannan2 <songnannan2@huawei.com>
+Date: Sat, 15 Feb 2020 20:44:53 +0800
+Subject: [PATCH] libexif: modification summary
+
+---
+ libexif-0.6.21/libexif/exif-entry.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 54a90a2..436e8a7 100644
+--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
+@@ -1085,7 +1085,7 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 			break;
+ 		}
+ 		d = (double) v_rat.numerator / (double) v_rat.denominator;
+-		if (d < 1)
+		if (d < 1 && d)
+ 			snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
+ 		else
+ 			snprintf (val, maxlen, "%i", (int) d);
+@@ -1102,8 +1102,9 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 		}
+ 		d = (double) v_srat.numerator / (double) v_srat.denominator;
+ 		snprintf (val, maxlen, _("%.02f EV"), d);
+-		d = 1. / pow (2, d);
+-		if (d < 1)
+		if (pow (2, d))
+			d = 1. / pow (2, d);
+		if (d < 1 && d)
+ 		  snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
+ 		else
+ 		  snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
+-- 
+2.19.1
+
--- a/libexif-bugfix-integer-overflow-pentax.patch
+++ b/libexif-bugfix-integer-overflow-pentax.patch
@ -0,0 +1,25 @@
+From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001
+From: songnannan2 <songnannan2@huawei.com>
+Date: Tue, 18 Feb 2020 23:00:27 +0800
+Subject: [PATCH] bugfix about can not be represented in type int
+
+---
+ libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
+index dcb1560..691a2bd 100644
+--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
+@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
+ 			CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen);
+ 			CC2 (entry->components, 1, 2, val, maxlen);
+ 			vs = exif_get_short (entry->data, entry->order);
+-			vs2 = exif_get_short (entry->data+2, entry->order) << 16;
+			vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16;
+ 
+ 			/* search the tag */
+ 			for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++);
+-- 
+2.19.1
+
--- a/libexif-bugfix-integer-overflow.patch
+++ b/libexif-bugfix-integer-overflow.patch
@ -0,0 +1,25 @@
+From c7c4de72c04b5b795ce8df9c49648431bd22ee7e Mon Sep 17 00:00:00 2001
+From: songnannan2 <songnannan2@huawei.com>
+Date: Mon, 17 Feb 2020 15:41:28 +0800
+Subject: [PATCH] bugfix in Integer overflow
+
+---
+ libexif/exif-loader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libexif-0.6.21/libexif/exif-loader.c b/libexif-0.6.21/libexif/exif-loader.c
+index 317b86b..e376465 100644
+--- a/libexif/exif-loader.c
+++ b/libexif/exif-loader.c
+@@ -239,7 +239,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
+ 			break;
+ 
+ 		case EL_READ_SIZE_BYTE_24:
+-			eld->size |= eld->b[i] << 24;
+			eld->size |= (unsigned int)eld->b[i] << 24;
+ 			eld->state = EL_READ_SIZE_BYTE_16;
+ 			break;
+ 		case EL_READ_SIZE_BYTE_16:
+-- 
+2.19.1
+
--- a/libexif-bugfix-overflow.patch
+++ b/libexif-bugfix-overflow.patch
@ -0,0 +1,36 @@
+From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Wed, 4 Jul 2018 11:06:09 +0200
+Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
+
+While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
+the end of a heap buffer. This was detected by the OSS Fuzz project.
+Patch from Google.
+
+Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
+---
+ libexif/exif-entry.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
+index 61260d3..a224ac2 100644
+--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
+@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
+ 		d = 0.;
+ 		entry = exif_content_get_entry (
+ 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
+-		if (entry && entry->data &&
+		if (entry && entry->data && entry->size >= 7 &&
+ 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
+ 			entry = exif_content_get_entry (
+ 					e->parent->parent->ifd[EXIF_IFD_0],
+ 					EXIF_TAG_MODEL);
+-			if (entry && entry->data) {
+			if (entry && entry->data && entry->size >= 8) {
+ 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
+ 					d = 3.9;
+ 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
+
+
--- a/libexif-bugfix-unsigned-int.patch
+++ b/libexif-bugfix-unsigned-int.patch
@ -0,0 +1,30 @@
+From cf37dc7934bbb10dc5d0c17db260a25aa2831595 Mon Sep 17 00:00:00 2001
+From: Marcus Meissner <marcus@jet.franken.de>
+Date: Sat, 18 Jan 2020 19:50:38 +0100
+Subject: [PATCH] cast to unsigned int before shifting left
+
+(weird integer promotion, a unsigned char will be first tried to be promoted to "int" apparently,
+so we need to cast it to avoid implicit behaviour)
+
+fixes https://github.com/libexif/libexif/issues/20
+---
+ libexif/exif-utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
+index 9083ddc..8a92907 100644
+--- a/libexif/exif-utils.c
+++ b/libexif/exif-utils.c
+@@ -132,9 +132,9 @@ exif_get_slong (const unsigned char *b, ExifByteOrder order)
+ 	if (!b) return 0;
+         switch (order) {
+         case EXIF_BYTE_ORDER_MOTOROLA:
+-                return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]);
+                return (((uint32_t)b[0] << 24) | ((uint32_t)b[1] << 16) | ((uint32_t)b[2] << 8) | (uint32_t)b[3]);
+         case EXIF_BYTE_ORDER_INTEL:
+-                return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
+                return (((uint32_t)b[3] << 24) | ((uint32_t)b[2] << 16) | ((uint32_t)b[1] << 8) | (uint32_t)b[0]);
+         }
+ 
+ 	/* Won't be reached */
+
--- a/libexif.spec
+++ b/libexif.spec
@ -1,15 +1,19 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.21
-Release:        19
+Release:        20
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
-#patch0 comes from fedora
-Patch0:         41bd04234b104312f54d25822f68738ba8d7133d.patch

+Patch0:         41bd04234b104312f54d25822f68738ba8d7133d.patch
 Patch6000:      libexif-0.6.21_CVE-2017-7544.patch
 Patch6001:      CVE-2018-20030.patch
+Patch6003:      libexif-bugfix-division-0.patch
+Patch6004:	libexif-bugfix-integer-overflow.patch
+Patch6005: 	libexif-bugfix-unsigned-int.patch
+Patch6006:	libexif-bugfix-overflow.patch
+Patch9001:	libexif-bugfix-integer-overflow-pentax.patch

 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git

@ -67,6 +71,9 @@ make check
 %doc libexif-api.html NEWS

 %changelog
+* Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 0.6.21-20
+- bugfix in oss-fuzz
+
 * Sat Oct 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.6.21-19
 - Type:bugfix
 - Id:NA