1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
From b14c73c115a94a9e87144f990be306fea7114964 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 11 Apr 2012 11:22:19 +0200
Subject: [PATCH] Fix security bug for special crafted EXIF properties
The original patch for CVE-2012-0259 turned out to be insufficient.
The problem is an integer overflow error in the "GetEXIFProperty()"
function (magick/property.c, around line 1288):
number_bytes=(size_t) components*tag_bytes[format];
When processing EXIF directory entries with tags of e.g. format 5
EXIF_FMT_URATIONAL) and a large components count, the calculation can
overflow and e.g. lead to "number_bytes" being 0. If that's the case,
subsequent checks can be bypassed, resulting in the loop in the
"EXIFMultipleFractions" macro to iterate through a large number of
"components". This leads to out-of-bound reads until eventually causing
a segmentation fault when trying to read beyond the limits of heap memory.
CVE-2012-1610 has been assigned to this issue.
Note: The initial patch for this issue is still necessary to prevent
access of uninitialized/incorrect memory when e.g. processing specially
crafted EXIF tags with a component count of 0.
Origin: upstream
Applied-Upstream: 6.7.6-4
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
magick/profile.c | 7 +++++--
magick/property.c | 4 ++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/magick/profile.c b/magick/profile.c
index 92e56f4..28cbeab 100644
--- a/magick/profile.c
+++ b/magick/profile.c
@@ -1843,8 +1843,9 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
number_entries=ReadProfileShort(endian,directory);
for ( ; entry < number_entries; entry++)
{
+ ssize_t
+ components;
long
- components,
format,
tag_value;
@@ -1863,8 +1864,10 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
format=(long) ReadProfileShort(endian,q+2);
if ((format-1) >= EXIF_NUM_FORMATS)
break;
- components=(long) ReadProfileLong(endian,q+4);
+ components=(ssize_t) ((int) ReadProfileLong(endian,q+4));
number_bytes=(size_t) components*format_bytes[format];
+ if (number_bytes < components)
+ break; /* prevent overflow */
if (number_bytes <= 4)
p=q+8;
else
diff --git a/magick/property.c b/magick/property.c
index 9bde6f3..cd3d153 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1284,7 +1284,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
number_entries=(size_t) ((int) ReadPropertyShort(endian,directory));
for ( ; entry < number_entries; entry++)
{
- long
+ ssize_t
components;
register unsigned char
@@ -1305,7 +1305,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
format=(size_t) ((int) ReadPropertyShort(endian,q+2));
if (format >= (sizeof(tag_bytes)/sizeof(*tag_bytes)))
break;
- components=(long) ReadPropertyLong(endian,q+4);
+ components=(ssize_t) ((int) ReadPropertyLong(endian,q+4));
number_bytes=(size_t) components*tag_bytes[format];
if (number_bytes < components)
break; /* prevent overflow */
--
1.7.10
|
