| /* |
| * Copyright (C) 2020 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <stdlib.h> |
| #include <sys/mman.h> |
| #include <unistd.h> |
| #include "../includes/common.h" |
| #include "libexif/exif-data.h" |
| #include "libexif/pentax/exif-mnote-data-pentax.h" |
| |
| #define NUM_PAGES 2 |
| #define VULNERABLE_ENTRY_INDEX 6 |
| #define VALUE_SIZE 1024 |
| |
| int main(int argc, char **argv) { |
| if (argc < 2) { |
| return EXIT_FAILURE; |
| } |
| |
| ExifData *exifData = exif_data_new_from_file(argv[1]); |
| if (!exifData) { |
| return EXIT_FAILURE; |
| } |
| |
| ExifMnoteData *mData = exif_data_get_mnote_data(exifData); |
| if (!mData) { |
| exif_data_unref(exifData); |
| return EXIT_FAILURE; |
| } |
| |
| ExifMnoteDataPentax *mDataPentax = (ExifMnoteDataPentax *)mData; |
| if (!mDataPentax) { |
| exif_data_unref(exifData); |
| return EXIT_FAILURE; |
| } |
| |
| MnotePentaxEntry *entry = &mDataPentax->entries[VULNERABLE_ENTRY_INDEX]; |
| if (!entry) { |
| exif_data_unref(exifData); |
| return EXIT_FAILURE; |
| } |
| |
| size_t page_size = getpagesize(); |
| size_t num_pages = NUM_PAGES; |
| size_t total_size = page_size * num_pages; |
| unsigned char *start_ptr = (unsigned char *)memalign(page_size, total_size); |
| if (!start_ptr) { |
| exif_data_unref(exifData); |
| return EXIT_FAILURE; |
| } |
| unsigned char *mem_ptr = start_ptr + ((num_pages - 1) * page_size); |
| mprotect(mem_ptr, page_size, PROT_NONE); |
| |
| unsigned char *prev_ptr = entry->data; |
| entry->data = mem_ptr; |
| entry->size = 0; |
| |
| char value[VALUE_SIZE]; |
| exif_mnote_data_get_value(mData, VULNERABLE_ENTRY_INDEX, value, sizeof(value)); |
| |
| entry->data = prev_ptr; |
| free(start_ptr); |
| exif_data_unref(exifData); |
| return EXIT_SUCCESS; |
| } |