summaryrefslogtreecommitdiff
path: root/user/libexif/CVE-2019-9278.patch
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2020-06-15 21:08:54 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2020-06-15 21:08:54 +0000
commitfdeddc8e9da35c99bae08190a8476dc37ac8e9b8 (patch)
treea28b8099d156ea27a5efc7d4603bbc2289363471 /user/libexif/CVE-2019-9278.patch
parent230772b3aed14d14b9438ea9b2283fa28c7ebce5 (diff)
parent29e941e719283d2570dc67038722d6ea6c19874e (diff)
downloadpackages-fdeddc8e9da35c99bae08190a8476dc37ac8e9b8.tar.gz
packages-fdeddc8e9da35c99bae08190a8476dc37ac8e9b8.tar.bz2
packages-fdeddc8e9da35c99bae08190a8476dc37ac8e9b8.tar.xz
packages-fdeddc8e9da35c99bae08190a8476dc37ac8e9b8.zip
Merge branch 'sec/2020.06.02' into 'master'
Security updates for 2020.06.02 See merge request adelie/packages!464
Diffstat (limited to 'user/libexif/CVE-2019-9278.patch')
-rw-r--r--user/libexif/CVE-2019-9278.patch85
1 files changed, 0 insertions, 85 deletions
diff --git a/user/libexif/CVE-2019-9278.patch b/user/libexif/CVE-2019-9278.patch
deleted file mode 100644
index bd15e8d13..000000000
--- a/user/libexif/CVE-2019-9278.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 75aa73267fdb1e0ebfbc00369e7312bac43d0566 Mon Sep 17 00:00:00 2001
-From: Marcus Meissner <meissner@suse.de>
-Date: Sat, 18 Jan 2020 09:29:42 +0100
-Subject: [PATCH] fix CVE-2019-9278
-
-avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away)
-
-check for the actual sizes, which should also handle the overflows
-document other places google patched, but do not seem relevant due to other restrictions
-
-fixes https://github.com/libexif/libexif/issues/26
----
- libexif/exif-data.c | 28 ++++++++++++++++++----------
- 1 file changed, 18 insertions(+), 10 deletions(-)
-
-diff --git a/libexif/exif-data.c b/libexif/exif-data.c
-index a6f9c94..6332cd1 100644
---- a/libexif/exif-data.c
-+++ b/libexif/exif-data.c
-@@ -192,9 +192,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
- doff = offset + 8;
-
- /* Sanity checks */
-- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
-+ if (doff >= size) {
- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
-- "Tag data past end of buffer (%u > %u)", doff+s, size);
-+ "Tag starts past end of buffer (%u > %u)", doff, size);
-+ return 0;
-+ }
-+
-+ if (s > size - doff) {
-+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
-+ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
- return 0;
- }
-
-@@ -315,13 +321,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
- unsigned int ds, ExifLong o, ExifLong s)
- {
- /* Sanity checks */
-- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
-- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
-- "Bogus thumbnail offset (%u) or size (%u).",
-- o, s);
-+ if (o >= ds) {
-+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
-+ return;
-+ }
-+ if (s > ds - o) {
-+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
- return;
- }
--
- if (data->data)
- exif_mem_free (data->priv->mem, data->data);
- if (!(data->data = exif_data_alloc (data, s))) {
-@@ -947,7 +954,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- "IFD 0 at %i.", (int) offset);
-
-- /* Sanity check the offset, being careful about overflow */
-+ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
- if (offset > ds || offset + 6 + 2 > ds)
- return;
-
-@@ -956,6 +963,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
-
- /* IFD 1 offset */
- n = exif_get_short (d + 6 + offset, data->priv->order);
-+ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
- if (offset + 6 + 2 + 12 * n + 4 > ds)
- return;
-
-@@ -964,8 +972,8 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- "IFD 1 at %i.", (int) offset);
-
-- /* Sanity check. */
-- if (offset > ds || offset + 6 > ds) {
-+ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
-+ if (offset > ds - 6) {
- exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
- "ExifData", "Bogus offset of IFD1.");
- } else {