← Back to branch summary

~ubuntu-branches/ubuntu/natty/libexif/natty-security

« back to all changes in this revision

Viewing changes to debian/patches/40_crash_looking_up_invalid_values.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Nico Golde
  • Date: 2007-12-21 17:13:58 UTC
  • mfrom: (5.1.5 hardy)
  • Revision ID: james.westby@ubuntu.com-20071221171358-zbjzk21kmnizelhk
Tags: 0.6.16-2.1
http://bugs.debian.org/457330
http://bugs.debian.org/457330
* Non-maintainer upload by security team.
* This update addresses the following security issues:
  - possible denial of service attack via crafted
    image file leading to an infinite recursion in the
    exif-loader.c (CVE-2007-6351; Closes: #457330).
  - integer overflow in exif-data.c triggered by a crafted
    image file could lead to arbitrary code execution
    (CVE-2007-6352; Closes: #457330).

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/40_crash_looking_up_invalid_values.dpatch
 
1
#! /bin/sh /usr/share/dpatch/dpatch-run
 
2
## 40_crash_looking_up_invalid_values.dpatch by  <fpeters@debian.org>
 
3
##
 
4
## All lines beginning with `## DP:' are a description of the patch.
 
5
## DP: Fixed crashes when looking up invalid values (upstream bug #1457501)
 
6
 
 
7
@DPATCH@
 
8
diff -urNad libexif-0.6.13~/libexif/exif-entry.c libexif-0.6.13/libexif/exif-entry.c
 
9
--- libexif-0.6.13~/libexif/exif-entry.c        2005-10-03 20:32:03.000000000 +0200
 
10
+++ libexif-0.6.13/libexif/exif-entry.c 2007-05-08 11:43:36.582110536 +0200
 
11
@@ -527,7 +527,8 @@
 
12
   { EXIF_TAG_COLOR_SPACE,
 
13
     { {1, {N_("sRGB"), NULL}},
 
14
       {2, {N_("Adobe RGB"), NULL}},
 
15
-      {0xffff, {N_("Uncalibrated"), NULL}}}},
 
16
+      {0xffff, {N_("Uncalibrated"), NULL}},
 
17
+      {0x0000, {NULL}}}},
 
18
   {0, }
 
19
 };
 
20
 
 
21
@@ -902,7 +903,7 @@
 
22
                }
 
23
 
 
24
                /* Find the value */
 
25
-               for (j = 0; list2[i].elem[j].values &&
 
26
+               for (j = 0; list2[i].elem[j].values[0] &&
 
27
                            (list2[i].elem[j].index < v_short); j++);
 
28
                if (list2[i].elem[j].index != v_short) {
 
29
                        snprintf (val, maxlen, _("Internal error (unknown "
 
30
@@ -912,8 +913,7 @@
 
31
 
 
32
                /* Find a short enough value */
 
33
                memset (val, 0, maxlen);
 
34
-               for (k = 0; list2[i].elem[j].values &&
 
35
-                           list2[i].elem[j].values[k]; k++) {
 
36
+               for (k = 0; list2[i].elem[j].values[k]; k++) {
 
37
                  l = strlen (_(list2[i].elem[j].values[k]));
 
38
                  if ((maxlen > l) && (strlen (val) < l))
 
39
                    strncpy (val, _(list2[i].elem[j].values[k]), maxlen - 1);