!1 libexif: bugfix in oss-fuzz

Merge pull request !1 from orange-snn/master
2020-03-10 16:51:50 +08:00 · 2020-03-10 16:51:50 +08:00 · acc20272f6
commit acc20272f6
parent e4a47fd37f 3b673cd83c
6 changed files with 163 additions and 3 deletions
--- a/libexif-bugfix-division-0.patch
+++ b/libexif-bugfix-division-0.patch
@ -0,0 +1,37 @@
 From d66dea055522290c1ef34e3ae914146cd52b5d8e Mon Sep 17 00:00:00 2001
 From: songnannan2 <songnannan2@huawei.com>
 Date: Sat, 15 Feb 2020 20:44:53 +0800
 Subject: [PATCH] libexif: modification summary
 ---
 libexif-0.6.21/libexif/exif-entry.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
 diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
 index 54a90a2..436e8a7 100644
 --- a/libexif/exif-entry.c
 +++ b/libexif/exif-entry.c
@@ -1085,7 +1085,7 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
 			break;
 		}
 		d = (double) v_rat.numerator / (double) v_rat.denominator;
 -		if (d < 1)
 +		if (d < 1 && d)
 			snprintf (val, maxlen, _("1/%i"), (int) (0.5 + 1. / d));
 		else
 			snprintf (val, maxlen, "%i", (int) d);
@@ -1102,8 +1102,9 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
 		}
 		d = (double) v_srat.numerator / (double) v_srat.denominator;
 		snprintf (val, maxlen, _("%.02f EV"), d);
 -		d = 1. / pow (2, d);
 -		if (d < 1)
 +		if (pow (2, d))
 +			d = 1. / pow (2, d);
 +		if (d < 1 && d)
 		  snprintf (b, sizeof (b), _(" (1/%d sec.)"), (int) (1. / d));
 		else
 		  snprintf (b, sizeof (b), _(" (%d sec.)"), (int) d);
 -- 
 2.19.1
--- a/libexif-bugfix-integer-overflow-pentax.patch
+++ b/libexif-bugfix-integer-overflow-pentax.patch
@ -0,0 +1,25 @@
 From 9474cc8aef621e83b00dd4c414a834426415bfbe Mon Sep 17 00:00:00 2001
 From: songnannan2 <songnannan2@huawei.com>
 Date: Tue, 18 Feb 2020 23:00:27 +0800
 Subject: [PATCH] bugfix about can not be represented in type int
 ---
 libexif-0.6.21/libexif/pentax/mnote-pentax-entry.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
 index dcb1560..691a2bd 100644
 --- a/libexif/pentax/mnote-pentax-entry.c
 +++ b/libexif/pentax/mnote-pentax-entry.c
@@ -365,7 +365,7 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
 			CF (entry->format, EXIF_FORMAT_SHORT, val, maxlen);
 			CC2 (entry->components, 1, 2, val, maxlen);
 			vs = exif_get_short (entry->data, entry->order);
 -			vs2 = exif_get_short (entry->data+2, entry->order) << 16;
 +			vs2 = (ExifShort)exif_get_short (entry->data+2, entry->order) << 16;
 			/* search the tag */
 			for (i = 0; (items2[i].tag && items2[i].tag != entry->tag); i++);
 -- 
 2.19.1
--- a/libexif-bugfix-integer-overflow.patch
+++ b/libexif-bugfix-integer-overflow.patch
@ -0,0 +1,25 @@
 From c7c4de72c04b5b795ce8df9c49648431bd22ee7e Mon Sep 17 00:00:00 2001
 From: songnannan2 <songnannan2@huawei.com>
 Date: Mon, 17 Feb 2020 15:41:28 +0800
 Subject: [PATCH] bugfix in Integer overflow
 ---
 libexif/exif-loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libexif-0.6.21/libexif/exif-loader.c b/libexif-0.6.21/libexif/exif-loader.c
 index 317b86b..e376465 100644
 --- a/libexif/exif-loader.c
 +++ b/libexif/exif-loader.c
@@ -239,7 +239,7 @@ exif_loader_write (ExifLoader *eld, unsigned char *buf, unsigned int len)
 			break;
 		case EL_READ_SIZE_BYTE_24:
 -			eld->size |= eld->b[i] << 24;
 +			eld->size |= (unsigned int)eld->b[i] << 24;
 			eld->state = EL_READ_SIZE_BYTE_16;
 			break;
 		case EL_READ_SIZE_BYTE_16:
 -- 
 2.19.1
--- a/libexif-bugfix-overflow.patch
+++ b/libexif-bugfix-overflow.patch
@ -0,0 +1,36 @@
 From f9bb9f263fb00f0603ecbefa8957cad24168cbff Mon Sep 17 00:00:00 2001
 From: Dan Fandrich <dan@coneharvesters.com>
 Date: Wed, 4 Jul 2018 11:06:09 +0200
 Subject: [PATCH] Fix a buffer read overflow in exif_entry_get_value
 While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
 the end of a heap buffer. This was detected by the OSS Fuzz project.
 Patch from Google.
 Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
 ---
 libexif/exif-entry.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
 index 61260d3..a224ac2 100644
 --- a/libexif/exif-entry.c
 +++ b/libexif/exif-entry.c
@@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
 		d = 0.;
 		entry = exif_content_get_entry (
 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
 -		if (entry && entry->data &&
 +		if (entry && entry->data && entry->size >= 7 &&
 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
 			entry = exif_content_get_entry (
 					e->parent->parent->ifd[EXIF_IFD_0],
 					EXIF_TAG_MODEL);
 -			if (entry && entry->data) {
 +			if (entry && entry->data && entry->size >= 8) {
 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
 					d = 3.9;
 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
--- a/libexif-bugfix-unsigned-int.patch
+++ b/libexif-bugfix-unsigned-int.patch
@ -0,0 +1,30 @@
 From cf37dc7934bbb10dc5d0c17db260a25aa2831595 Mon Sep 17 00:00:00 2001
 From: Marcus Meissner <marcus@jet.franken.de>
 Date: Sat, 18 Jan 2020 19:50:38 +0100
 Subject: [PATCH] cast to unsigned int before shifting left
 (weird integer promotion, a unsigned char will be first tried to be promoted to "int" apparently,
 so we need to cast it to avoid implicit behaviour)
 fixes https://github.com/libexif/libexif/issues/20
 ---
 libexif/exif-utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
 index 9083ddc..8a92907 100644
 --- a/libexif/exif-utils.c
 +++ b/libexif/exif-utils.c
@@ -132,9 +132,9 @@ exif_get_slong (const unsigned char *b, ExifByteOrder order)
 	if (!b) return 0;
         switch (order) {
         case EXIF_BYTE_ORDER_MOTOROLA:
 -                return ((b[0] << 24) | (b[1] << 16) | (b[2] << 8) | b[3]);
 +                return (((uint32_t)b[0] << 24) | ((uint32_t)b[1] << 16) | ((uint32_t)b[2] << 8) | (uint32_t)b[3]);
         case EXIF_BYTE_ORDER_INTEL:
 -                return ((b[3] << 24) | (b[2] << 16) | (b[1] << 8) | b[0]);
 +                return (((uint32_t)b[3] << 24) | ((uint32_t)b[2] << 16) | ((uint32_t)b[1] << 8) | (uint32_t)b[0]);
         }
 	/* Won't be reached */
--- a/libexif.spec
+++ b/libexif.spec
@ -1,15 +1,19 @@
 Name:           libexif
 Summary:        Library for extracting extra information from image files
 Version:        0.6.21
-Release:        19
+Release:        20
 License:        LGPLv2+
 URL:            https://libexif.github.io/
 Source0:        https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
 #patch0 comes from fedora
 Patch0:         41bd04234b104312f54d25822f68738ba8d7133d.patch
 Patch0:         41bd04234b104312f54d25822f68738ba8d7133d.patch
 Patch6000:      libexif-0.6.21_CVE-2017-7544.patch
 Patch6001:      CVE-2018-20030.patch
 Patch6003:      libexif-bugfix-division-0.patch
 Patch6004:	libexif-bugfix-integer-overflow.patch
 Patch6005: 	libexif-bugfix-unsigned-int.patch
 Patch6006:	libexif-bugfix-overflow.patch
 Patch9001:	libexif-bugfix-integer-overflow-pentax.patch
 BuildRequires:  autoconf automake doxygen gettext-devel libtool pkgconfig git
@ -67,6 +71,9 @@ make check
 %doc libexif-api.html NEWS
 %changelog
 * Tue Mar 10 2020 songnannan <songnannan2@huawei.com> - 0.6.21-20
 - bugfix in oss-fuzz
 * Sat Oct 19 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.6.21-19
 - Type:bugfix
 - Id:NA