From: Dan Fandrich <dan@coneharvesters.com>
Date: Sat, 16 May 2020 17:29:21 +0000 (+0200)
Subject: Ensure the MakerNote data pointers are initialized with NULL.
X-Git-Tag: accepted/tizen/6.0/unified/20201030.110329^0
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fupstream%2Flibexif.git;a=commitdiff_plain;h=b3fd1b4c572667275713f2e7adae0fad548d311f

Ensure the MakerNote data pointers are initialized with NULL.

This ensures that an uninitialized pointer isn't dereferenced later in
the case where the number of components (and therefore size) is 0.

This fixes the second issue reported at
https://sourceforge.net/p/libexif/bugs/125/

CVE-2020-13113

Change-Id: I93a19b0d66ef34b22a4485a492be92836711eb0a
Signed-off-by: Jeongmo Yang <jm80.yang@samsung.com>
---

diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index 5c043cf..52f851b 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -234,6 +234,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 	for (i = c, o = datao; i; --i, o += 12) {
 		size_t s;
 
+		memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
 		if (CHECKOVERFLOW(o,buf_size,12)) {
 			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
 				"ExifMnoteCanon", "Short MakerNote");
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index a0bcb67..2de0f67 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -198,6 +198,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
 	for (i = c, o = datao; i; --i, o += 12) {
 		size_t s;
 
+		memset(&n->entries[tcount], 0, sizeof(MnoteFujiEntry));
 		if (CHECKOVERFLOW(o, buf_size, 12)) {
 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
 				  "ExifMnoteDataFuji", "Short MakerNote");
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index 4d158ce..45e4bc5 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -433,6 +433,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
 	tcount = 0;
 	for (i = c, o = o2; i; --i, o += 12) {
 		size_t s;
+		memset(&n->entries[tcount], 0, sizeof(MnoteOlympusEntry));
 		if (CHECKOVERFLOW(o, buf_size, 12)) {
 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
 				  "ExifMnoteOlympus", "Short MakerNote");
diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
index 319d4c6..c23a7e4 100644
--- a/libexif/pentax/exif-mnote-data-pentax.c
+++ b/libexif/pentax/exif-mnote-data-pentax.c
@@ -280,6 +280,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
 	for (i = c, o = datao; i; --i, o += 12) {
 		size_t s;
 
+		memset(&n->entries[tcount], 0, sizeof(MnotePentaxEntry));
 		if (CHECKOVERFLOW(o,buf_size,12)) {
 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
 				  "ExifMnoteDataPentax", "Short MakerNote");
diff --git a/packaging/libexif.spec b/packaging/libexif.spec
index c6030ed..6a92be7 100644
--- a/packaging/libexif.spec
+++ b/packaging/libexif.spec
@@ -1,6 +1,6 @@
 Name:           libexif
 Version:        0.6.21
-Release:        3
+Release:        4
 License:        LGPL-2.1
 Summary:        An EXIF Tag Parsing Library for Digital Cameras
 Url:            http://libexif.sourceforge.net