Overview

File bug-771229_CVE-2012-2812.patch of Package libexif

Update of /cvsroot/libexif/libexif/libexif
In directory vz-cvs-4.sog:/tmp/cvs-serv18224/libexif

Modified Files:
	exif-entry.c 
Log Message:
Fixed an out of bounds read on corrupted input.
The EXIF_TAG_COPYRIGHT tag ought to be, but perhaps is not,
NUL-terminated.
This fixes CVE-2012-2812


Index: exif-entry.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v
retrieving revision 1.147
retrieving revision 1.148
diff -u -d -r1.147 -r1.148
--- libexif/exif-entry.c	12 Jul 2012 17:12:24 -0000	1.147
+++ libexif/exif-entry.c	12 Jul 2012 17:13:03 -0000	1.148
@@ -611,6 +611,30 @@
 	printf ("%s  Value: %s\n", buf, exif_entry_get_value (e, value, sizeof(value)));
 }
 
+/*! Check if a string consists entirely of a single, repeated character.
+ * Up to first n bytes are checked.
+ * 
+ * \param[in] data pointer of string to check
+ * \param[in] ch character to match
+ * \param[in] n maximum number of characters to match
+ *
+ * \return 0 if the string matches or is of zero length, nonzero otherwise
+ */
+static int
+match_repeated_char(const unsigned char *data, unsigned char ch, size_t n)
+{
+	int i;
+	for (i=n; i; --i, ++data) {
+		if (*data == 0) {
+			i = 0;	/* all bytes before NUL matched */
+			break;
+		}
+		if (*data != ch)
+			break;
+	}
+	return i;
+}
+
 #define CF(entry,target,v,maxlen)					\
 {									\
 	if (entry->format != target) {					\
@@ -806,7 +830,6 @@
 exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen)
 {
 	unsigned int i, j, k;
-	const unsigned char *t;
 	ExifShort v_short, v_short2, v_short3, v_short4;
 	ExifByte v_byte;
 	ExifRational v_rat;
@@ -948,9 +971,9 @@
 		/*
 		 * First part: Photographer.
 		 * Some cameras store a string like "   " here. Ignore it.
+		 * Remember that a corrupted tag might not be NUL-terminated
 		 */
-		if (e->size && e->data &&
-		    (strspn ((char *)e->data, " ") != strlen ((char *) e->data)))
+		if (e->size && e->data && match_repeated_char(e->data, ' ', e->size))
 			strncpy (val, (char *) e->data, MIN (maxlen, e->size));
 		else
 			strncpy (val, _("[None]"), maxlen);
@@ -959,15 +982,20 @@
 
 		/* Second part: Editor. */
 		strncat (val, " - ", maxlen - strlen (val));
+		k = 0;
 		if (e->size && e->data) {
-			size_t ts;
-			t = e->data + strlen ((char *) e->data) + 1;
-			ts = e->data + e->size - t;
-			if ((ts > 0) && (strspn ((char *)t, " ") != ts))
-				strncat (val, (char *)t, MIN (maxlen - strlen (val), ts));
-		} else {
-			strncat (val, _("[None]"), maxlen - strlen (val));
+			const unsigned char *tagdata = memchr(e->data, 0, e->size);
+			if (tagdata++) {
+				int editor_ofs = tagdata - e->data;
+				int remaining = e->size - editor_ofs;
+				if (match_repeated_char(tagdata, ' ', remaining)) {
+					strncat (val, (const char*)tagdata, MIN (maxlen - strlen (val), remaining));
+					++k;
+				}
+			}
 		}
+		if (!k)
+			strncat (val, _("[None]"), maxlen - strlen (val));
 		strncat (val, " ", maxlen - strlen (val));
 		strncat (val, _("(Editor)"), maxlen - strlen (val));
 


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
libexif-cvs mailing list
libexif-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libexif-cvs
openSUSE Build Service is sponsored by
Places