Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
From Ubuntu bug: The exif library fails to validate input in several place, and jpeg image with invalid exif data may crash user application.
Ubuntu patch over 0.6.9... ============================================================== --- libexif-0.6.9/libexif/exif-data.c~ 2005-03-03 22:54:52.333049248 +0100 +++ libexif-0.6.9/libexif/exif-data.c 2005-03-03 22:50:57.117807400 +0100 @@ -640,7 +640,7 @@ #endif /* Byte order (offset 6, length 2) */ - if (ds < 12) + if (ds < 14) return; if (!memcmp (d + 6, "II", 2)) data->priv->order = EXIF_BYTE_ORDER_INTEL; @@ -659,12 +659,18 @@ printf ("IFD 0 at %i.\n", (int) offset); #endif + if (ds < 6 + 4 + offset) + return; + /* Parse the actual exif data (offset 14) */ exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6, ds - 6, offset); /* IFD 1 offset */ n = exif_get_short (d + 6 + offset, data->priv->order); + if (ds < 6 + offset + 2 + 12 * n + 4) + return; + offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order); if (offset) { #ifdef DEBUG ============================================================ This needs to be backported to 0.5, or the 0.6 branch needs to be unmasked and this patch applied. Backport looks easy, just a few variable names to change (fex "ds" was called "size"). Pulling eradicator in (as he was the one to mask it) for comments. Pulling sekretarz in as he was the last committer. Only the first hunk is not in upstream CVS yet. An equivalent of the second hunk is in CVS (exif-data.c v1.62) post 2.6.11.
I'd say unmask it and apply to 0.6. Most major packages have been fixed to support 0.6, but there may be a couple outliers that we missed...
There is a patch for the 0.5 branch released by/for Fedora http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/libexif-0.5.12-3.1.src.rpm I will extract the patch from the SRPM and attach it here.
Created an attachment (id=53007) [details] Patch for the 0.5 branch from Fedora As Sune Kloppenborg Jeppesen reported, "size" in libexif 0.5.x became "ds" in 0.6.x . RedHat/Fedora Bugzilla bug 150506.
Archs: Please mark 0.5.12-r2 stable
stable on ppc64
Stable ppc-macos.
Stable on alpha.
Stable on ppc.
GLSA 200503-17 arm/hppa/ia64/mips, please mark stable to benefit from GLSA.
Stable on mips.
