From 3b673cd83c2d0b2c4307bc0ed9d60bafbb7e070b Mon Sep 17 00:00:00 2001 From: orange-snn Date: Tue, 10 Mar 2020 15:28:59 +0800 Subject: [PATCH] bugfix in oss-fuzz --- libexif-bugfix-division-0.patch | 37 ++++++++++++++++++++ libexif-bugfix-integer-overflow-pentax.patch | 25 +++++++++++++ libexif-bugfix-integer-overflow.patch | 25 +++++++++++++ libexif-bugfix-overflow.patch | 36 +++++++++++++++++++ libexif-bugfix-unsigned-int.patch | 30 ++++++++++++++++ libexif.spec | 13 +++++-- 6 files changed, 163 insertions(+), 3 deletions(-) create mode 100644 libexif-bugfix-division-0.patch create mode 100644 libexif-bugfix-integer-overflow-pentax.patch create mode 100644 libexif-bugfix-integer-overflow.patch create mode 100644 libexif-bugfix-overflow.patch create mode 100644 libexif-bugfix-unsigned-int.patch diff --git a/libexif-bugfix-division-0.patch b/libexif-bugfix-division-0.patch new file mode 100644 index 0000000..934ddcb --- /dev/null +++ b/libexif-bugfix-division-0.patch @@ -0,0 +1,37 @@ +From d66dea055522290c1ef34e3ae914146cd52b5d8e Mon Sep 17 00:00:00 2001 +From: songnannan2 +Date: Sat, 15 Feb 2020 20:44:53 +0800 +Subject: [PATCH] libexif: modification summary + +--- + libexif-0.6.21/libexif/exif-entry.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c +index 54a90a2..436e8a7 100644 +--- a/libexif/exif-entry.c ++++ b/libexif/exif-entry.c +@@ -1085,7 +1085,7 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + break; + } + d = (double) v_rat.numerator / (double) v_rat.denominator; +- if (d < 1) ++ if (d < 1 && d) + snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d)); + else + snprintf (val, maxlen, "%i", (int) d); +@@ -1102,8 +1102,9 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + } + d = (double) v_srat.numerator / (double) v_srat.denominator; + snprintf (val, maxlen, _("%.02f EV"), d); +- d = 1. / pow (2, d); +- if (d < 1) ++ if (pow (2, d)) ++ d = 1. / pow (2, d); ++ if (d < 1 && d) + snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d)); + else + snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d); +-- +2.19.1 + diff --git a/libexif-bugfix-integer-overflow-pentax.patch b/libexif-bugfix-integer-overflow-pentax.patch new file mode 100644 index 0000000..9139d37 --- /dev/null +++ b/libexif-bugfix-integer-overflow-pentax.patch @@ -0,0 +1,25 @@ +From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001 +From: songnannan2 +Date: Tue, 18 Feb 2020 23:00:27 +0800 +Subject: [PATCH] bugfix about can not be represented in type int + +--- + libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c +index dcb1560..691a2bd 100644 +--- a/libexif/pentax/mnote-pentax-entry.c ++++ b/libexif/pentax/mnote-pentax-entry.c +@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, + CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen); + CC2 (entry->components, 1, 2, val, maxlen); + vs = exif_get_short (entry->data, entry->order); +- vs2 = exif_get_short (entry->data+2, entry->order) << 16; ++ vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16; + + /* search the tag */ + for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++); +-- +2.19.1 + diff --git a/libexif-bugfix-integer-overflow.patch b/libexif-bugfix-integer-overflow.patch new file mode 100644 index 0000000..8f3c174 --- /dev/null +++ b/libexif-bugfix-integer-overflow.patch @@ -0,0 +1,25 @@ +From c7c4de72c04b5b795ce8df9c49648431bd22ee7e Mon Sep 17 00:00:00 2001 +From: songnannan2 +Date: Mon, 17 Feb 2020 15:41:28 +0800 +Subject: [PATCH] bugfix in Integer overflow + +--- + libexif/exif-loader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libexif-0.6.21/libexif/exif-loader.c b/libexif-0.6.21/libexif/exif-loader.c +index 317b86b..e376465 100644 +--- a/libexif/exif-loader.c ++++ b/libexif/exif-loader.c +@@ -239,7 +239,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len) + break; + + case EL_READ_SIZE_BYTE_24: +- eld->size |= eld->b[i] << 24; ++ eld->size |= (unsigned int)eld->b[i] << 24; + eld->state = EL_READ_SIZE_BYTE_16; + break; + case EL_READ_SIZE_BYTE_16: +-- +2.19.1 + diff --git a/libexif-bugfix-overflow.patch b/libexif-bugfix-overflow.patch new file mode 100644 index 0000000..8d0aa73 --- /dev/null +++ b/libexif-bugfix-overflow.patch @@ -0,0 +1,36 @@ +From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001 +From: Dan Fandrich +Date: Wed, 4 Jul 2018 11:06:09 +0200 +Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value + +While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past +the end of a heap buffer. This was detected by the OSS Fuzz project. +Patch from Google. + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543 +--- + libexif/exif-entry.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c +index 61260d3..a224ac2 100644 +--- a/libexif/exif-entry.c ++++ b/libexif/exif-entry.c +@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + d = 0.; + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); +- if (entry && entry->data && ++ if (entry && entry->data && entry->size >= 7 && + !strncmp ((char *)entry->data, "Minolta", 7)) { + entry = exif_content_get_entry ( + e->parent->parent->ifd[EXIF_IFD_0], + EXIF_TAG_MODEL); +- if (entry && entry->data) { ++ if (entry && entry->data && entry->size >= 8) { + if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) + d = 3.9; + else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) + + diff --git a/libexif-bugfix-unsigned-int.patch b/libexif-bugfix-unsigned-int.patch new file mode 100644 index 0000000..d60ec80 --- /dev/null +++ b/libexif-bugfix-unsigned-int.patch @@ -0,0 +1,30 @@ +From cf37dc7934bbb10dc5d0c17db260a25aa2831595 Mon Sep 17 00:00:00 2001 +From: Marcus Meissner +Date: Sat, 18 Jan 2020 19:50:38 +0100 +Subject: [PATCH] cast to unsigned int before shifting left + +(weird integer promotion, a unsigned char will be first tried to be promoted to "int" apparently, +so we need to cast it to avoid implicit behaviour) + +fixes https://github.com/libexif/libexif/issues/20 +--- + libexif/exif-utils.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c +index 9083ddc..8a92907 100644 +--- a/libexif/exif-utils.c ++++ b/libexif/exif-utils.c +@@ -132,9 +132,9 @@ exif_get_slong (const unsigned char *b, ExifByteOrder order) + if (!b) return 0; + switch (order) { + case EXIF_BYTE_ORDER_MOTOROLA: +- return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]); ++ return (((uint32_t)b[0] << 24) | ((uint32_t)b[1] << 16) | ((uint32_t)b[2] << 8) | (uint32_t)b[3]); + case EXIF_BYTE_ORDER_INTEL: +- return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]); ++ return (((uint32_t)b[3] << 24) | ((uint32_t)b[2] << 16) | ((uint32_t)b[1] << 8) | (uint32_t)b[0]); + } + + /* Won't be reached */ + diff --git a/libexif.spec b/libexif.spec index c1d0700..2be61e8 100644 --- a/libexif.spec +++ b/libexif.spec @@ -1,15 +1,19 @@ Name: libexif Summary: Library for extracting extra information from image files Version: 0.6.21 -Release: 19 +Release: 20 License: LGPLv2+ URL: https://libexif.github.io/ Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2 -#patch0 comes from fedora -Patch0: 41bd04234b104312f54d25822f68738ba8d7133d.patch +Patch0: 41bd04234b104312f54d25822f68738ba8d7133d.patch Patch6000: libexif-0.6.21_CVE-2017-7544.patch Patch6001: CVE-2018-20030.patch +Patch6003: libexif-bugfix-division-0.patch +Patch6004: libexif-bugfix-integer-overflow.patch +Patch6005: libexif-bugfix-unsigned-int.patch +Patch6006: libexif-bugfix-overflow.patch +Patch9001: libexif-bugfix-integer-overflow-pentax.patch BuildRequires: autoconf automake doxygen gettext-devel libtool pkgconfig git @@ -67,6 +71,9 @@ make check %doc libexif-api.html NEWS %changelog +* Tue Mar 10 2020 songnannan - 0.6.21-20 +- bugfix in oss-fuzz + * Sat Oct 19 2019 openEuler Buildteam - 0.6.21-19 - Type:bugfix - Id:NA