1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From: Joachim Reichel <reichel@debian.org>
Description: Fix CVE-2021-34055
Origin: https://github.com/Matthias-Wandel/jhead/commit/f0a884210cc46830b176f71fd61569adc8f230a7
Bug: https://github.com/Matthias-Wandel/jhead/issues/36
Bug-Debian: https://bugs.debian.org/1024272
Index: jhead/jhead.h
===================================================================
--- jhead.orig/jhead.h
+++ jhead/jhead.h
@@ -163,7 +163,7 @@ void FileTimeAsString(char * TimeStr);
// Prototypes for exif.c functions.
int Exif2tm(struct tm * timeptr, char * ExifTime);
void Clear_EXIF();
-void process_EXIF (unsigned char * CharBuf, int length);
+int process_EXIF (unsigned char * CharBuf, int length);
void ShowImageInfo(int ShowFileInfo);
void ShowConciseImageInfo(void);
const char * ClearOrientation(void);
Index: jhead/jpgfile.c
===================================================================
--- jhead.orig/jpgfile.c
+++ jhead/jpgfile.c
@@ -286,7 +286,10 @@ int ReadJpegSections (FILE * infile, Rea
// There can be different section using the same marker.
if (ReadMode & READ_METADATA){
if (memcmp(Data+2, "Exif", 4) == 0){
- process_EXIF(Data, itemlen);
+ if (!process_EXIF(Data, itemlen)){
+ // malformatted exif sections, discard.
+ free(Sections[--SectionsRead].Data);
+ }
break;
}else if (memcmp(Data+2, "http:", 5) == 0){
Sections[SectionsRead-1].Type = M_XMP; // Change tag for internal purposes.
Index: jhead/exif.c
===================================================================
--- jhead.orig/exif.c
+++ jhead/exif.c
@@ -1006,7 +1006,7 @@ void Clear_EXIF ()
// Process a EXIF marker
// Describes all the drivel that most digital cameras include...
//--------------------------------------------------------------------------
-void process_EXIF (unsigned char * ExifSection, int length)
+int process_EXIF (unsigned char * ExifSection, int length)
{
int FirstOffset;
@@ -1021,7 +1021,7 @@ void process_EXIF (unsigned char * ExifS
static uchar ExifHeader[] = "Exif\0\0";
if (memcmp(ExifSection+2, ExifHeader,6)){
ErrNonfatal("Incorrect Exif header",0,0);
- return;
+ return 0;
}
}
@@ -1034,21 +1034,21 @@ void process_EXIF (unsigned char * ExifS
MotorolaOrder = 1;
}else{
ErrNonfatal("Invalid Exif alignment marker.",0,0);
- return;
+ return 0;
}
}
// Check the next value for correctness.
if (Get16u(ExifSection+10) != 0x2a){
ErrNonfatal("Invalid Exif start (1)",0,0);
- return;
+ return 0;
}
FirstOffset = (int)Get32u(ExifSection+12);
if (FirstOffset < 8 || FirstOffset > 16){
if (FirstOffset < 16 || FirstOffset > length-16 || length < 16){
ErrNonfatal("invalid offset for first Exif IFD value",0,0);
- return;
+ return 0;
}
// Usually set to 8, but other values valid too.
ErrNonfatal("Suspicious offset of first Exif IFD value",0,0);
@@ -1088,6 +1088,7 @@ void process_EXIF (unsigned char * ExifS
ImageInfo.FocalLength35mmEquiv = (int)(ImageInfo.FocalLength/ImageInfo.CCDWidth*36 + 0.5);
}
}
+ return 1;
}
@@ -1237,6 +1238,7 @@ void create_EXIF(void)
const char * ClearOrientation(void)
{
int a;
+
if (NumOrientations == 0) return NULL;
for (a=0;a<NumOrientations;a++){
|
