39 lines
1.5 KiB
Diff
39 lines
1.5 KiB
Diff
From e93be918878ab98ee45430858e96cb302ffee2bc Mon Sep 17 00:00:00 2001
|
|
From: Marcus Meissner <marcus@jet.franken.de>
|
|
Date: Sat, 30 Jan 2021 14:06:08 +0100
|
|
Subject: [PATCH] limit the amount of tags we allow in the makernote here.
|
|
|
|
due to memory layout the max amount of 65536 tags could be used
|
|
to exhaust lots of memory and time during parsing,
|
|
as each tag can reuse the same memory range.
|
|
|
|
(Memory usage DOS (2GB+) and compute dos (several minutes on fast machine, but not endless))
|
|
|
|
This fixes OSS-FUZZ issue 27280.
|
|
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27280
|
|
---
|
|
libexif/olympus/exif-mnote-data-olympus.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
|
|
index 45e4bc5..0c68d51 100644
|
|
--- a/libexif/olympus/exif-mnote-data-olympus.c
|
|
+++ b/libexif/olympus/exif-mnote-data-olympus.c
|
|
@@ -419,6 +419,13 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
|
|
c = exif_get_short (buf + o2, n->order);
|
|
o2 += 2;
|
|
|
|
+ /* Just use an arbitrary max tag limit here to avoid needing to much memory or time. There are 150 named tags currently.
|
|
+ * The format allows specifying the same range of memory as often as it can, so this multiplies quickly. */
|
|
+ if (c > 300) {
|
|
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Too much tags (%d) in Olympus MakerNote", c);
|
|
+ return;
|
|
+ }
|
|
+
|
|
/* Remove any old entries */
|
|
exif_mnote_data_olympus_clear (n);
|
|
|
|
--
|
|
2.27.0
|