首页 发现 帮助
登录
PUBLIC_REPOS
/
buildroot
镜像自地址 git://git.buildroot.net/buildroot
2
1
派生 0
文件
目录树: 78e7807112
分支列表 标签列表
buildroot
/
package
/
libexif
/
0004-Improve-deep-recursion-detection-in-exif_data_load_d.patch

0004-Improve-deep-recursion-detection-in-exif_data_load_d.patch 4.5 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 
  1. From 6aa11df549114ebda520dde4cdaea2f9357b2c89 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Dan Fandrich <dan@coneharvesters.com>
    3. 

  3. Date: Fri, 12 Oct 2018 16:01:45 +0200
    4. 

  4. Subject: [PATCH] Improve deep recursion detection in
    5. 

  5.  exif_data_load_data_content.
    6. 

  6. 

  7. The existing detection was still vulnerable to pathological cases
    8. 

  8. causing DoS by wasting CPU. The new algorithm takes the number of tags
    9. 

  9. into account to make it harder to abuse by cases using shallow recursion
    10. 

  10. but with a very large number of tags.  This improves on commit 5d28011c
    11. 

  11. which wasn't sufficient to counter this kind of case.
    12. 

  12. 

  13. The limitation in the previous fix was discovered by Laurent Delosieres,
    14. 

  14. Secunia Research at Flexera (Secunia Advisory SA84652) and is assigned
    15. 

  15. the identifier CVE-2018-20030.
    16. 

  16. 

  17. [Peter: drop NEWS change]
    18. 

  18. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
    19. 

  19. ---
    20. 

  20.  libexif/exif-data.c | 45 +++++++++++++++++++++++++++++++++++++--------
    21. 

  21.  1 file changed, 37 insertions(+), 8 deletions(-)
    22. 

  22. 

  23. diff --git a/libexif/exif-data.c b/libexif/exif-data.c
    24. 

  24. index e35403d..a6f9c94 100644
    25. 

  25. --- a/libexif/exif-data.c
    26. 

  26. +++ b/libexif/exif-data.c
    27. 

  27. @@ -35,6 +35,7 @@
    28. 

  28.  #include <libexif/olympus/exif-mnote-data-olympus.h>
    29. 

  29.  #include <libexif/pentax/exif-mnote-data-pentax.h>
    30. 

  30.  
    31. 

  31. +#include <math.h>
    32. 

  32.  #include <stdlib.h>
    33. 

  33.  #include <stdio.h>
    34. 

  34.  #include <string.h>
    35. 

  35. @@ -350,6 +351,20 @@ if (data->ifd[(i)]->count) {				\
    36. 

  36.  	break;						\
    37. 

  37.  }
    38. 

  38.  
    39. 

  39. +/*! Calculate the recursion cost added by one level of IFD loading.
    40. 

  40. + *
    41. 

  41. + * The work performed is related to the cost in the exponential relation
    42. 

  42. + *   work=1.1**cost
    43. 

  43. + */
    44. 

  44. +static unsigned int
    45. 

  45. +level_cost(unsigned int n)
    46. 

  46. +{
    47. 

  47. +    static const double log_1_1 = 0.09531017980432493;
    48. 

  48. +
    49. 

  49. +	/* Adding 0.1 protects against the case where n==1 */
    50. 

  50. +	return ceil(log(n + 0.1)/log_1_1);
    51. 

  51. +}
    52. 

  52. +
    53. 

  53.  /*! Load data for an IFD.
    54. 

  54.   *
    55. 

  55.   * \param[in,out] data #ExifData
    56. 

  56. @@ -357,13 +372,13 @@ if (data->ifd[(i)]->count) {				\
    57. 

  57.   * \param[in] d pointer to buffer containing raw IFD data
    58. 

  58.   * \param[in] ds size of raw data in buffer at \c d
    59. 

  59.   * \param[in] offset offset into buffer at \c d at which IFD starts
    60. 

  60. - * \param[in] recursion_depth number of times this function has been
    61. 

  61. - * recursively called without returning
    62. 

  62. + * \param[in] recursion_cost factor indicating how expensive this recursive
    63. 

  63. + * call could be
    64. 

  64.   */
    65. 

  65.  static void
    66. 

  66.  exif_data_load_data_content (ExifData *data, ExifIfd ifd,
    67. 

  67.  			     const unsigned char *d,
    68. 

  68. -			     unsigned int ds, unsigned int offset, unsigned int recursion_depth)
    69. 

  69. +			     unsigned int ds, unsigned int offset, unsigned int recursion_cost)
    70. 

  70.  {
    71. 

  71.  	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
    72. 

  72.  	ExifShort n;
    73. 

  73. @@ -378,9 +393,20 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
    74. 

  74.  	if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
    75. 

  75.  	  return;
    76. 

  76.  
    77. 

  77. -	if (recursion_depth > 12) {
    78. 

  78. +	if (recursion_cost > 170) {
    79. 

  79. +		/*
    80. 

  80. +		 * recursion_cost is a logarithmic-scale indicator of how expensive this
    81. 

  81. +		 * recursive call might end up being. It is an indicator of the depth of
    82. 

  82. +		 * recursion as well as the potential for worst-case future recursive
    83. 

  83. +		 * calls. Since it's difficult to tell ahead of time how often recursion
    84. 

  84. +		 * will occur, this assumes the worst by assuming every tag could end up
    85. 

  85. +		 * causing recursion.
    86. 

  86. +		 * The value of 170 was chosen to limit typical EXIF structures to a
    87. 

  87. +		 * recursive depth of about 6, but pathological ones (those with very
    88. 

  88. +		 * many tags) to only 2.
    89. 

  89. +		 */
    90. 

  90.  		exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
    91. 

  91. -			  "Deep recursion detected!");
    92. 

  92. +			  "Deep/expensive recursion detected!");
    93. 

  93.  		return;
    94. 

  94.  	}
    95. 

  95.  
    96. 

  96. @@ -422,15 +448,18 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
    97. 

  97.  			switch (tag) {
    98. 

  98.  			case EXIF_TAG_EXIF_IFD_POINTER:
    99. 

  99.  				CHECK_REC (EXIF_IFD_EXIF);
    100. 

  100. -				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
    101. 

  101. +				exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
    102. 

  102. +					recursion_cost + level_cost(n));
    103. 

  103.  				break;
    104. 

  104.  			case EXIF_TAG_GPS_INFO_IFD_POINTER:
    105. 

  105.  				CHECK_REC (EXIF_IFD_GPS);
    106. 

  106. -				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
    107. 

  107. +				exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
    108. 

  108. +					recursion_cost + level_cost(n));
    109. 

  109.  				break;
    110. 

  110.  			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
    111. 

  111.  				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
    112. 

  112. -				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
    113. 

  113. +				exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
    114. 

  114. +					recursion_cost + level_cost(n));
    115. 

  115.  				break;
    116. 

  116.  			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
    117. 

  117.  				thumbnail_offset = o;
    118. 

  118. -- 
    119. 

  119. 2.20.1
    120. 

  120.