File bug-771229_CVE-2012-2813.patch of Package libexif
Update of /cvsroot/libexif/libexif/libexif
In directory vz-cvs-4.sog:/tmp/cvs-serv18177/libexif
Modified Files:
exif-entry.c
Log Message:
Don't read past the end of a tag when converting from UTF-16
This fixes CVE-2012-2813
Index: exif-entry.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v
retrieving revision 1.146
retrieving revision 1.147
diff -u -d -r1.146 -r1.147
--- libexif/exif-entry.c 12 Jul 2012 17:10:34 -0000 1.146
+++ libexif/exif-entry.c 12 Jul 2012 17:12:24 -0000 1.147
@@ -1346,10 +1346,23 @@
case EXIF_TAG_XP_AUTHOR:
case EXIF_TAG_XP_KEYWORDS:
case EXIF_TAG_XP_SUBJECT:
+ {
+ /* Sanity check the size to prevent overflow */
+ if (e->size+sizeof(unsigned short) < e->size) break;
+
+ /* The tag may not be U+0000-terminated , so make a local
+ U+0000-terminated copy before converting it */
+ unsigned short *utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short));
+ if (!utf16) break;
+ memcpy(utf16, e->data, e->size);
+ utf16[e->size/sizeof(unsigned short)] = 0;
+
/* Warning! The texts are converted from UTF16 to UTF8 */
/* FIXME: use iconv to convert into the locale encoding */
- exif_convert_utf16_to_utf8(val, (unsigned short*)e->data, MIN(maxlen, e->size));
+ exif_convert_utf16_to_utf8(val, utf16, maxlen);
+ exif_mem_free(e->priv->mem, utf16);
break;
+ }
default:
/* Use a generic value formatting */
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
libexif-cvs mailing list
libexif-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libexif-cvs
