[denzil 05/18] Security Advisory - libexif - CVE-2012-2836

[Mark Hatle <mark.hatle@windriver.com>]

From: Yue Tao <Yue.Tao@windriver.com>

[ CQID: WIND00366788 ]

The exif_data_load_data function in exif-data.c in the EXIF Tag
Parsing Library (aka libexif) before 0.6.21 allows remote attackers
to cause a denial of service (out-of-bounds read) or possibly
obtain sensitive information from process memory via crafted EXIF
tags in an image.

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 .../libexif/0004-libexif-CVE-2012-2836.patch       | 140 +++++++++++++++++++++
 meta/recipes-support/libexif/libexif_0.6.20.bb     |   3 +-
 2 files changed, 142 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch

diff --git a/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch b/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch
new file mode 100644
index 0000000..430e35c
--- /dev/null
+++ b/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch
@@ -0,0 +1,140 @@
+Index: libexif/exif-data.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
+retrieving revision 1.129
+retrieving revision 1.131
+diff -c -u -r1.129 -r1.131
+--- a/libexif/exif-data.c	8 Oct 2010 06:50:19 -0000	1.129
++++ b/libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
+@@ -781,15 +781,15 @@
+ 
+ void
+ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
+-		     unsigned int ds_orig)
++		     unsigned int ds)
+ {
+ 	unsigned int l;
+ 	ExifLong offset;
+ 	ExifShort n;
+ 	const unsigned char *d = d_orig;
+-	unsigned int ds = ds_orig, len;
++	unsigned int len, fullds;
+ 
+-	if (!data || !data->priv || !d || !ds) 
++	if (!data || !data->priv || !d || !ds)
+ 		return;
+ 
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+@@ -807,21 +807,21 @@
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "Found EXIF header.");
+ 	} else {
+-		while (1) {
+-			while ((d[0] == 0xff) && ds) {
++		while (ds >= 3) {
++			while (ds && (d[0] == 0xff)) {
+ 				d++;
+ 				ds--;
+ 			}
+ 
+ 			/* JPEG_MARKER_SOI */
+-			if (d[0] == JPEG_MARKER_SOI) {
++			if (ds && d[0] == JPEG_MARKER_SOI) {
+ 				d++;
+ 				ds--;
+ 				continue;
+ 			}
+ 
+ 			/* JPEG_MARKER_APP0 */
+-			if (d[0] == JPEG_MARKER_APP0) {
++			if (ds >= 3 && d[0] == JPEG_MARKER_APP0) {
+ 				d++;
+ 				ds--;
+ 				l = (d[0] << 8) | d[1];
+@@ -833,7 +833,7 @@
+ 			}
+ 
+ 			/* JPEG_MARKER_APP1 */
+-			if (d[0] == JPEG_MARKER_APP1)
++			if (ds && d[0] == JPEG_MARKER_APP1)
+ 				break;
+ 
+ 			/* Unknown marker or data. Give up. */
+@@ -841,12 +841,12 @@
+ 				  "ExifData", _("EXIF marker not found."));
+ 			return;
+ 		}
+-		d++;
+-		ds--;
+-		if (ds < 2) {
++		if (ds < 3) {
+ 			LOG_TOO_SMALL;
+ 			return;
+ 		}
++		d++;
++		ds--;
+ 		len = (d[0] << 8) | d[1];
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "We have to deal with %i byte(s) of EXIF data.",
+@@ -872,9 +872,18 @@
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 		  "Found EXIF header.");
+ 
+-	/* Byte order (offset 6, length 2) */
++	/* Sanity check the data length */
+ 	if (ds < 14)
+ 		return;
++
++	/* The JPEG APP1 section can be no longer than 64 KiB (including a
++	   16-bit length), so cap the data length to protect against overflow
++	   in future offset calculations */
++	fullds = ds;
++	if (ds > 0xfffe)
++		ds = 0xfffe;
++
++	/* Byte order (offset 6, length 2) */
+ 	if (!memcmp (d + 6, "II", 2))
+ 		data->priv->order = EXIF_BYTE_ORDER_INTEL;
+ 	else if (!memcmp (d + 6, "MM", 2))
+@@ -894,24 +903,25 @@
+ 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", 
+ 		  "IFD 0 at %i.", (int) offset);
+ 
++	/* Sanity check the offset, being careful about overflow */
++	if (offset > ds || offset + 6 + 2 > ds)
++		return;
++
+ 	/* Parse the actual exif data (usually offset 14 from start) */
+ 	exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset, 0);
+ 
+ 	/* IFD 1 offset */
+-	if (offset + 6 + 2 > ds) {
+-		return;
+-	}
+ 	n = exif_get_short (d + 6 + offset, data->priv->order);
+-	if (offset + 6 + 2 + 12 * n + 4 > ds) {
++	if (offset + 6 + 2 + 12 * n + 4 > ds)
+ 		return;
+-	}
++
+ 	offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
+ 	if (offset) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ 			  "IFD 1 at %i.", (int) offset);
+ 
+ 		/* Sanity check. */
+-		if (offset > ds - 6) {
++		if (offset > ds || offset + 6 > ds) {
+ 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ 				  "ExifData", "Bogus offset of IFD1.");
+ 		} else {
+@@ -925,7 +935,7 @@
+ 	 * space between IFDs. Here is the only place where we have access
+ 	 * to that data.
+ 	 */
+-	interpret_maker_note(data, d, ds);
++	interpret_maker_note(data, d, fullds);
+ 
+ 	/* Fixup tags if requested */
+ 	if (data->priv->options & EXIF_DATA_OPTION_FOLLOW_SPECIFICATION)
+
diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb
index 7d8f8fd..25de763 100644
--- a/meta/recipes-support/libexif/libexif_0.6.20.bb
+++ b/meta/recipes-support/libexif/libexif_0.6.20.bb
@@ -9,7 +9,8 @@ PR = "r1"
 SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \
 	  file://0001-libexif-CVE-2012-2813.patch \
 	  file://0002-libexif-CVE-2012-2812.patch \
-	  file://0003-libexif-CVE-2012-2841.patch"
+	  file://0003-libexif-CVE-2012-2841.patch \
+	  file://0004-libexif-CVE-2012-2836.patch"
 
 SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3"
 SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715"
-- 
1.8.1.2.545.g2f19ada