From 61ff8b3c318dda325f282c9c00216593322762d8 Mon Sep 17 00:00:00 2001 From: tabudz Date: Wed, 17 Dec 2025 18:10:18 +0800 Subject: [PATCH] fix CVE-2019-9278 avoid the use of unsafe integer overflow checking constructs (unsigned integer operations cannot overflow, so "u1 + u2 > u1" can be optimized away) check for the actual sizes, which should also handle the overflows document other places google patched, but do not seem relevant due to other restrictions --- src/plugins/pictview/exif/libexif/exif-data.c | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/plugins/pictview/exif/libexif/exif-data.c b/src/plugins/pictview/exif/libexif/exif-data.c index 80533b6f1..30cab7078 100644 --- a/src/plugins/pictview/exif/libexif/exif-data.c +++ b/src/plugins/pictview/exif/libexif/exif-data.c @@ -191,9 +191,15 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, doff = offset + 8; /* Sanity checks */ - if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) { + if (doff >= size) { exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Tag data past end of buffer (%u > %u)", doff+s, size); + "Tag starts past end of buffer (%u > %u)", doff, size); + return 0; + } + + if (s > size - doff) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Tag data goes past end of buffer (%u > %u)", doff+s, size); return 0; } @@ -308,13 +314,14 @@ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, unsigned int ds, ExifLong o, ExifLong s) { /* Sanity checks */ - if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) { - exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", - "Bogus thumbnail offset (%u) or size (%u).", - o, s); + if (o >= ds) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o); + return; + } + if (s > ds - o) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o); return; } - if (data->data) exif_mem_free (data->priv->mem, data->data); if (!(data->data = exif_data_alloc (data, s))) {