libexif: Fix read buffer overflow (CVE-2020-0093)

author Marcus Meissner <marcus@jet.franken.de>

Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)

committer Marcus Meissner <marcus@jet.franken.de>

Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)
author Marcus Meissner <marcus@jet.franken.de>
Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)
committer Marcus Meissner <marcus@jet.franken.de>
Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c

index 6332cd1..65ae93d 100644 (file)
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -308,7 +308,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
         /* Write the data. Fill unneeded bytes with 0. Do not crash with
          * e->data is NULL */
         if (e->data) {
-               memcpy (*d + 6 + doff, e->data, s);
+               unsigned int len = s;
+               if (e->size < s) len = e->size;
+               memcpy (*d + 6 + doff, e->data, len);
         } else {
                 memset (*d + 6 + doff, 0, s);
         }
author	Marcus Meissner <marcus@jet.franken.de>
	Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)
committer	Marcus Meissner <marcus@jet.franken.de>
	Sat, 16 May 2020 14:47:42 +0000 (16:47 +0200)