libexif: Fix read buffer overflow (CVE-2020-0093)

Make sure the number of bytes being copied from doesn't exceed the source buffer size. From Android repo: https://android.googlesource.com/platform/external/libexif/+/0335ffc17f9b9a4831c242bb08ea92f605fde7a6%5E%21/#F0 Test: testPocBug_148705132 Bug: 148705132 fixes https://github.com/libexif/libexif/issues/42
author: Marcus Meissner <marcus@jet.franken.de> 2020-05-16 16:47:42 +0200
committer: Marcus Meissner <marcus@jet.franken.de> 2020-05-16 16:47:42 +0200
commit: 5ae5973bed1947f4d447dc80b76d5cefadd90133 (patch)
tree: 2bf28f9c2f59d4d735880fc1893bd5bce246040f
parent: 154189b77491191e00e1204083ab51c4ad5a60ff (diff)
download: libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.tar.gz
libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.tar.bz2
libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 6332cd1..65ae93d 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -308,7 +308,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
 	 * e->data is NULL */
 	if (e->data) {
-		memcpy (*d + 6 + doff, e->data, s);
+		unsigned int len = s;
+		if (e->size < s) len = e->size;
+		memcpy (*d + 6 + doff, e->data, len);
 	} else {
 		memset (*d + 6 + doff, 0, s);
 	}
author	Marcus Meissner <marcus@jet.franken.de>	2020-05-16 16:47:42 +0200
committer	Marcus Meissner <marcus@jet.franken.de>	2020-05-16 16:47:42 +0200
commit	5ae5973bed1947f4d447dc80b76d5cefadd90133 (patch)
tree	2bf28f9c2f59d4d735880fc1893bd5bce246040f
parent	154189b77491191e00e1204083ab51c4ad5a60ff (diff)
download	libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.tar.gz libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.tar.bz2 libexif-5ae5973bed1947f4d447dc80b76d5cefadd90133.zip