Skip to content

Commit e6a38a1

Browse files
dfandrichmsmeissn
authored andcommitted
Add a failsafe on the maximum number of Canon MakerNote subtags.
A malicious file could be crafted to cause extremely large values in some tags without tripping any buffer range checks. This is bad with the libexif representation of Canon MakerNotes because some arrays are turned into individual tags that the application must loop around. The largest value I've seen for failsafe_size in a (very small) sample of valid Canon files is <5000. The limit is set two orders of magnitude larger to avoid tripping up falsely in case some models use much larger values. Patch from Google. CVE-2020-13114
1 parent bbd35b1 commit e6a38a1

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

Diff for: libexif/canon/exif-mnote-data-canon.c

+21
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,9 @@
3232

3333
#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
3434

35+
/* Total size limit to prevent abuse by DoS */
36+
#define FAILSAFE_SIZE_MAX 1000000L
37+
3538
static void
3639
exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
3740
{
@@ -204,6 +207,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
204207
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
205208
ExifShort c;
206209
size_t i, tcount, o, datao;
210+
long failsafe_size = 0;
207211

208212
if (!n || !buf || !buf_size) {
209213
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
@@ -295,6 +299,23 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
295299
memcpy (n->entries[tcount].data, buf + dataofs, s);
296300
}
297301

302+
/* Track the size of decoded tag data. A malicious file could
303+
* be crafted to cause extremely large values here without
304+
* tripping any buffer range checks. This is especially bad
305+
* with the libexif representation of Canon MakerNotes because
306+
* some arrays are turned into individual tags that the
307+
* application must loop around. */
308+
failsafe_size += mnote_canon_entry_count_values(&n->entries[tcount]);
309+
310+
if (failsafe_size > FAILSAFE_SIZE_MAX) {
311+
/* Abort if the total size of the data in the tags extraordinarily large, */
312+
exif_mem_free (ne->mem, n->entries[tcount].data);
313+
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
314+
"ExifMnoteCanon", "Failsafe tag size overflow (%lu > %ld)",
315+
failsafe_size, FAILSAFE_SIZE_MAX);
316+
break;
317+
}
318+
298319
/* Tag was successfully parsed */
299320
++tcount;
300321
}

0 commit comments

Comments
 (0)