[libexif-cvs] exif/libjpeg jpeg-data.c,1.23,1.24

[Dan F. <dfa...@us...>]

Update of /cvsroot/libexif/exif/libjpeg
In directory vz-cvs-4.sog:/tmp/cvs-serv17803/libjpeg

Modified Files:
	jpeg-data.c 
Log Message:
Fixed bug that caused exif to read past the end of a buffer.
At worst, data->size would underflow which would cause a
gigantic read past the end of the heap buffer and likely
subsequent crash, which would only happen with a corrupted
input file. It might be possible to copy sensitive
information from process memory.
This fixes CVE-2012-2845


Index: jpeg-data.c
===================================================================
RCS file: /cvsroot/libexif/exif/libjpeg/jpeg-data.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -r1.23 -r1.24
--- jpeg-data.c	12 Jul 2012 16:51:46 -0000	1.23
+++ jpeg-data.c	12 Jul 2012 17:02:01 -0000	1.24
@@ -205,7 +205,7 @@
 		for (i = 0; i < MIN(7, size - o); i++)
 			if (d[o + i] != 0xff)
 				break;
-		if (!JPEG_IS_MARKER (d[o + i])) {
+		if ((i >= size - o) || !JPEG_IS_MARKER (d[o + i])) {
 			exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "jpeg-data",
 					_("Data does not follow JPEG specification."));
 			return;
@@ -226,10 +226,11 @@
 		default:
 
 			/* Read the length of the section */
+			if (2 > size - o) { o = size; break; }
 			len = ((d[o] << 8) | d[o + 1]) - 2;
 			if (len > size) { o = size; break; }
 			o += 2;
-			if (o + len > size) { o = size; break; }
+			if (len > size - o) { o = size; break; }
 
 			switch (s->marker) {
 			case JPEG_MARKER_APP1:
@@ -248,14 +249,18 @@
 
 				/* In case of SOS, image data will follow. */
 				if (s->marker == JPEG_MARKER_SOS) {
-					/* -2 means 'take all but the last 2 bytes which are hoped to be JPEG_MARKER_EOI */
-					data->size = size - 2 - o - len;
-					if (d[o + len + data->size] != 0xFF) {
-						/* A truncated file (i.e. w/o JPEG_MARKER_EOI at the end).
-						   Instead of trying to use the last two bytes as marker,
-						   touching memory beyond allocated memory and posssibly saving
-						   back screwed file, we rather take the rest of the file. */
-						data->size += 2;
+					data->size = size - o - len;
+					if (data->size >= 2) {
+						/* -2 means 'take all but the last 2 bytes which are
+						   hoped to be JPEG_MARKER_EOI */
+						data->size -= 2;
+						if (d[o + len + data->size] != 0xFF) {
+							/* A truncated file (i.e. w/o JPEG_MARKER_EOI at the end).
+							   Instead of trying to use the last two bytes as marker,
+							   touching memory beyond allocated memory and posssibly saving
+							   back screwed file, we rather take the rest of the file. */
+							data->size += 2;
+						}
 					}
 					data->data = malloc (
 						sizeof (char) * data->size);