diff options
author | Dan Fandrich <dan@coneharvesters.com> | 2020-05-16 19:29:21 +0200 |
---|---|---|
committer | Jeongmo Yang <jm80.yang@samsung.com> | 2020-06-08 12:44:34 +0900 |
commit | b3fd1b4c572667275713f2e7adae0fad548d311f (patch) | |
tree | 4cdfe65b2fe3979096fdac30bb644f927053407e | |
parent | 5819a64fcec0610e4ab984887e141c1a619d8687 (diff) | |
download | libexif-accepted/tizen_6.0_unified.tar.gz libexif-accepted/tizen_6.0_unified.tar.bz2 libexif-accepted/tizen_6.0_unified.zip |
Ensure the MakerNote data pointers are initialized with NULL.tizen_6.0.m2_releasesubmit/tizen_6.0_hotfix/20201103.115102submit/tizen_6.0_hotfix/20201102.192902submit/tizen_6.0/20201029.205502submit/tizen/20200608.074032accepted/tizen/unified/20200609.153652accepted/tizen/6.0/unified/hotfix/20201103.050952accepted/tizen/6.0/unified/hotfix/20201102.233921accepted/tizen/6.0/unified/20201030.110329tizen_6.0_hotfixtizen_6.0accepted/tizen_6.0_unified_hotfixaccepted/tizen_6.0_unified
This ensures that an uninitialized pointer isn't dereferenced later in
the case where the number of components (and therefore size) is 0.
This fixes the second issue reported at
https://sourceforge.net/p/libexif/bugs/125/
CVE-2020-13113
Change-Id: I93a19b0d66ef34b22a4485a492be92836711eb0a
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>
-rw-r--r-- | libexif/canon/exif-mnote-data-canon.c | 1 | ||||
-rw-r--r-- | libexif/fuji/exif-mnote-data-fuji.c | 1 | ||||
-rw-r--r-- | libexif/olympus/exif-mnote-data-olympus.c | 1 | ||||
-rw-r--r-- | libexif/pentax/exif-mnote-data-pentax.c | 1 | ||||
-rw-r--r-- | packaging/libexif.spec | 2 |
5 files changed, 5 insertions, 1 deletions
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c index 5c043cf..52f851b 100644 --- a/libexif/canon/exif-mnote-data-canon.c +++ b/libexif/canon/exif-mnote-data-canon.c @@ -234,6 +234,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne, for (i = c, o = datao; i; --i, o += 12) { size_t s; + memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry)); if (CHECKOVERFLOW(o,buf_size,12)) { exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteCanon", "Short MakerNote"); diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c index a0bcb67..2de0f67 100644 --- a/libexif/fuji/exif-mnote-data-fuji.c +++ b/libexif/fuji/exif-mnote-data-fuji.c @@ -198,6 +198,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en, for (i = c, o = datao; i; --i, o += 12) { size_t s; + memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry)); if (CHECKOVERFLOW(o, buf_size, 12)) { exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataFuji", "Short MakerNote"); diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c index 4d158ce..45e4bc5 100644 --- a/libexif/olympus/exif-mnote-data-olympus.c +++ b/libexif/olympus/exif-mnote-data-olympus.c @@ -433,6 +433,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en, tcount = 0; for (i = c, o = o2; i; --i, o += 12) { size_t s; + memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry)); if (CHECKOVERFLOW(o, buf_size, 12)) { exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteOlympus", "Short MakerNote"); diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c index 319d4c6..c23a7e4 100644 --- a/libexif/pentax/exif-mnote-data-pentax.c +++ b/libexif/pentax/exif-mnote-data-pentax.c @@ -280,6 +280,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en, for (i = c, o = datao; i; --i, o += 12) { size_t s; + memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry)); if (CHECKOVERFLOW(o,buf_size,12)) { exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataPentax", "Short MakerNote"); diff --git a/packaging/libexif.spec b/packaging/libexif.spec index c6030ed..6a92be7 100644 --- a/packaging/libexif.spec +++ b/packaging/libexif.spec @@ -1,6 +1,6 @@ Name: libexif Version: 0.6.21 -Release: 3 +Release: 4 License: LGPL-2.1 Summary: An EXIF Tag Parsing Library for Digital Cameras Url: http://libexif.sourceforge.net |