File CVE-2021-3496.patch of Package jhead.17742

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-3496.patch of Package jhead.17742

Index: jhead-3.00/makernote.c
===================================================================
--- jhead-3.00.orig/makernote.c	2021-04-19 11:06:10.769293809 +0200
+++ jhead-3.00/makernote.c	2021-04-19 11:09:01.526237027 +0200
@@ -65,7 +65,7 @@ static void ProcessCanonMakerNoteDir(uns
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal+ByteCount > (unsigned)ExifLength || OffsetVal > 65536){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for Exif maker tag %04x", Tag,0);
                 continue;
@@ -120,6 +120,7 @@ static void ProcessCanonMakerNoteDir(uns
                 }
         }
         if (Tag == 1 && Components > 16){
+            if (ByteCount < 17 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
             int IsoCode = Get16u(ValuePtr + 16*sizeof(unsigned short));
             if (IsoCode >= 16 && IsoCode <= 24){
                 ImageInfo.ISOequivalent = 50 << (IsoCode-16);
@@ -127,6 +128,7 @@ static void ProcessCanonMakerNoteDir(uns
         }
 
         if (Tag == 4 && Format == FMT_USHORT){
+            if (ByteCount < 20 * sizeof(short)) continue; // Fuzztest -- not enough allocated.
             if (Components > 7){
                 int WhiteBalance = Get16u(ValuePtr + 7*sizeof(unsigned short));
                 switch(WhiteBalance){

Places

File CVE-2021-3496.patch of Package jhead.17742

Places