Ubuntu
libexif package

Improper boundary checking -> SIGSEGV

Bug #13499 reported by Sylvain Defresne
14
Affects Status Importance Assigned to Milestone
libexif (Ubuntu)
Fix Released
Critical
Martin Pitt

Bug Description

The exif library fails to validate input in several place, and
jpeg image with invalid exif data may crash user application.

The attached patch fixes some obvious improper access to data
without checking boundary. There may be others that I have not
found (as I have just given it a quick look to correct a crash
caused by some of my images).

Revision history for this message
Sylvain Defresne (sdefresne) wrote :

Created an attachment (id=1508)
The patch mentionned in the bug report

This patch simply return from the exif_data_load_data function when
reading data at the given offset will read outside the data buffer.

Revision history for this message
Marcus Meissner (meissner) wrote :

the first one is a true problem, the second and third one should be fixed in newer libexif
versions.

do you have a sample image for cross checking?

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed Warty in USN-91-1.

Fixed Hoary in
 libexif (0.6.9-4ubuntu1) hoary; urgency=low
 .
  * SECURITY UPDATE: Fix buffer overflow.
  * libexif/exif-data.c: Add buffer size checks in several places before
    trying to access it.
  * Thanks to Sylvain Defresne for spotting this and the patch.
  * References:
    https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152

Revision history for this message
Martin Pitt (pitti) wrote :

*** Bug 13621 has been marked as a duplicate of this bug. ***

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.