Merge branch 'security-aosp-qt-release' into int/10/fp2 * security-aosp-qt-release: Zero initialize ExifMnoteData<vendor> during construction with exif_mnote_data_<vendor>_new. Ensure MakeNote data pointers are initialized with NULL. Fix MakerNote tag size overflow issues at read time. Change-Id: Ic91799dd110df43d3d01949bc0fddfdb12aaeb52

commit: 16cb1edb4a1ccccee02357a9b6f32795364a1a68 [log] [tgz]
author: Maarten Derks <maarten@fairphone.com> Wed Jan 12 13:20:13 2022 +0100
committer: Maarten Derks <maarten@fairphone.com> Wed Jan 12 13:20:13 2022 +0100
tree: 6faa21cce02cca27037696b5b06bc111242541da
parent: 5710343d6931e045e1c9e916488363875a2341e9 [diff]
parent: 0ed4794c63c558ec782c9092cba5999fa6e427b3 [diff]
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index b81b8ce..5a7763b 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c

@@ -39,6 +39,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <limits.h>
 
 #undef JPEG_MARKER_SOI
 #define JPEG_MARKER_SOI  0xd8
@@ -314,7 +315,10 @@
 			       unsigned int ds, ExifLong o, ExifLong s)
 {
 	/* Sanity checks */
-	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
+	uint64_t o64 = (uint64_t) o;
+	uint64_t s64 = (uint64_t) s;
+	uint64_t ds64 = (uint64_t) ds;
+	if ((o64 + s64) > ds64) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
 			  "Bogus thumbnail offset (%u) or size (%u).",
 			  o, s);
@@ -385,9 +389,9 @@
 	}
 
 	/* Read the number of entries */
-	if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+	if ((offset > UINT_MAX - 2) || (offset + 2 > ds)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
-			  "Tag data past end of buffer (%u > %u)", offset+2, ds);
+			  "Tag data past end of buffer (%u + 2 > %u)", offset, ds);
 		return;
 	}
 	n = exif_get_short (d + offset, data->priv->order);

diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 0ffb83e..347539c 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c

@@ -1045,12 +1045,12 @@
 		d = 0.;
 		entry = exif_content_get_entry (
 			e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE);
-		if (entry && entry->data &&
+		if (entry && entry->data && (entry->size > 7) &&
 		    !strncmp ((char *)entry->data, "Minolta", 7)) {
 			entry = exif_content_get_entry (
 					e->parent->parent->ifd[EXIF_IFD_0],
 					EXIF_TAG_MODEL);
-			if (entry && entry->data) {
+			if (entry && entry->data && (entry->size > 8)) {
 				if (!strncmp ((char *)entry->data, "DiMAGE 7", 8))
 					d = 3.9;
 				else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8))
commit	16cb1edb4a1ccccee02357a9b6f32795364a1a68	[log] [tgz]
author	Maarten Derks <maarten@fairphone.com>	Wed Jan 12 13:20:13 2022 +0100
committer	Maarten Derks <maarten@fairphone.com>	Wed Jan 12 13:20:13 2022 +0100
tree	6faa21cce02cca27037696b5b06bc111242541da
parent	5710343d6931e045e1c9e916488363875a2341e9 [diff]
parent	0ed4794c63c558ec782c9092cba5999fa6e427b3 [diff]