Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / libexif / refs/heads/int/p/fp2^1..refs/heads/int/p/fp2 / .
commit3394f12eb0c4135a7a2e2396927dd417710fa0a2[log] [tgz]
authorKarsten Tausche <karsten@fairphone.com>Wed Jan 20 10:10:41 2021 +0100
committerKarsten Tausche <karsten@fairphone.com>Wed Jan 20 10:10:41 2021 +0100
tree7a7b5751b75ba91335cfaea383d61bc692bf0a08
parent50eb5ed524b85db9fb373b8480e3faa20bf5585b [diff]
parent3d81a0910d245cf1e84945b0ec7294caf34f2a3b [diff]
Merge the 2021-02-05 SPL branch from AOSP-Partner

* security-aosp-pi-release:
  fixes some (not all) buffer overreads during decoding pentax makernote entries.
  libexif: Avoid buffer overflow due to compiler optimization

Change-Id: If04d0337b2875d56b2b4feba7bb09af5753108c7

diff --git a/Android.bp b/Android.bp
index 62ba943..1db830f 100644
--- a/Android.bp
+++ b/Android.bp

@@ -50,6 +50,10 @@
         "libexif/pentax/mnote-pentax-tag.c",
     ],
 
+    shared_libs: [
+        "liblog",
+    ],
+
     export_include_dirs: ["."],
 
     cflags: [

diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 0f72865..0ffb83e 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c

@@ -31,6 +31,8 @@
 #include <string.h>
 #include <time.h>
 #include <math.h>
+#include <limits.h>
+#include <log/log.h>
 
 #ifndef M_PI
 #define M_PI 3.14159265358979323846
@@ -1376,7 +1378,10 @@
 	case EXIF_TAG_XP_SUBJECT:
 	{
 		/* Sanity check the size to prevent overflow */
-		if (e->size+sizeof(unsigned short) < e->size) break;
+		if (e->size > UINT_MAX - sizeof(unsigned short)) {
+			android_errorWriteLog(0x534e4554, "159625731");
+			break;
+		}
 
 		/* The tag may not be U+0000-terminated , so make a local
 		   U+0000-terminated copy before converting it */

diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index 7e97c2c..dcb1560 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c

@@ -425,24 +425,34 @@
 		case EXIF_FORMAT_SHORT:
 		  {
 			const unsigned char *data = entry->data;
-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 2)
+					break;
 				vs = exif_get_short (data, entry->order);
 				snprintf (val+len, maxlen-len, "%i ", vs);
 				len = strlen(val);
 				data += 2;
+				sizeleft -= 2;
 			}
 		  }
 		  break;
 		case EXIF_FORMAT_LONG:
 		  {
 			const unsigned char *data = entry->data;
-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 4)
+					break;
 				vl = exif_get_long (data, entry->order);
 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
 				len = strlen(val);
 				data += 4;
+				sizeleft -= 4;
 			}
 		  }
 		  break;
@@ -455,5 +465,5 @@
 		break;
 	}
 
-	return (val);
+	return val;
 }