Skip to content

Commit ec412aa

Browse files
dfandrichmsmeissn
authored andcommitted
Ensure the MakerNote data pointers are initialized with NULL.
This ensures that an uninitialized pointer isn't dereferenced later in the case where the number of components (and therefore size) is 0. This fixes the second issue reported at https://sourceforge.net/p/libexif/bugs/125/ CVE-2020-13113
1 parent 435e21f commit ec412aa

File tree

4 files changed

+4
-0
lines changed

4 files changed

+4
-0
lines changed

Diff for: libexif/canon/exif-mnote-data-canon.c

+1
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
236236
for (i = c, o = datao; i; --i, o += 12) {
237237
size_t s;
238238

239+
memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
239240
if (CHECKOVERFLOW(o,buf_size,12)) {
240241
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
241242
"ExifMnoteCanon", "Short MakerNote");

Diff for: libexif/fuji/exif-mnote-data-fuji.c

+1
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
198198
for (i = c, o = datao; i; --i, o += 12) {
199199
size_t s;
200200

201+
memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
201202
if (CHECKOVERFLOW(o, buf_size, 12)) {
202203
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
203204
"ExifMnoteDataFuji", "Short MakerNote");

Diff for: libexif/olympus/exif-mnote-data-olympus.c

+1
Original file line numberDiff line numberDiff line change
@@ -425,6 +425,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
425425
tcount = 0;
426426
for (i = c, o = o2; i; --i, o += 12) {
427427
size_t s;
428+
memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
428429
if (CHECKOVERFLOW(o, buf_size, 12)) {
429430
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
430431
"ExifMnoteOlympus", "Short MakerNote");

Diff for: libexif/pentax/exif-mnote-data-pentax.c

+1
Original file line numberDiff line numberDiff line change
@@ -280,6 +280,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
280280
for (i = c, o = datao; i; --i, o += 12) {
281281
size_t s;
282282

283+
memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
283284
if (CHECKOVERFLOW(o,buf_size,12)) {
284285
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
285286
"ExifMnoteDataPentax", "Short MakerNote");

0 commit comments

Comments
 (0)