File bug-771229_CVE-2012-2841.patch of Package libexif

Overview Repositories Revisions Requests Users Attributes Meta

File bug-771229_CVE-2012-2841.patch of Package libexif

Update of /cvsroot/libexif/libexif/libexif
In directory vz-cvs-4.sog:/tmp/cvs-serv18407/libexif

Modified Files:
	exif-entry.c 
Log Message:
Fixed a buffer overflow problem in exif_entry_get_value
If the application passed in a buffer length of 0, then it would
be treated as the buffer had unlimited length.
This fixes CVE-2012-2841

Index: libexif/exif-entry.c
===================================================================
--- libexif/exif-entry.c.orig
+++ libexif/exif-entry.c
@@ -862,14 +862,15 @@ exif_entry_get_value (ExifEntry *e, char
 	 */
 	bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR);
 
+	if (!e || !e->parent || !e->parent->parent || !maxlen)
+		return val;
+
 	/* make sure the returned string is zero terminated */
 	memset (val, 0, maxlen);
 	maxlen--;
 	memset (b, 0, sizeof (b));
 
 	/* We need the byte order */
-	if (!e || !e->parent || !e->parent->parent)
-		return val;
 	o = exif_data_get_byte_order (e->parent->parent);
 
 	/* Sanity check */
@@ -927,17 +928,16 @@ exif_entry_get_value (ExifEntry *e, char
 
 		/*
 		 * If we reach this point, the tag does not
-		 * comply with the standard and seems to contain data.
+		 * comply with the standard but seems to contain data.
 		 * Print as much as possible.
 		 */
 		exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
 			_("Tag UserComment does not comply "
 			"with standard but contains data."));
-		for (; (i < e->size)  && (strlen (val) < maxlen - 1); i++) {
+		for (j = 0; (i < e->size) && (j < maxlen); i++, j++) {
 			exif_entry_log (e, EXIF_LOG_CODE_DEBUG,
 				_("Byte at position %i: 0x%02x"), i, e->data[i]);
-			val[strlen (val)] =
-				isprint (e->data[i]) ? e->data[i] : '.';
+			val[j] = isprint (e->data[i]) ? e->data[i] : '.';
 		}
 		break;

Places

File bug-771229_CVE-2012-2841.patch of Package libexif

Places