From 3dbdac0ce5f0a233e2b4a0e1854d38ef2f5cd2c4 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@fedoraproject.org>
Date: Dec 17 2007 16:57:26 +0000
Subject: - CVE-2007-6353 (#425921)


---

diff --git a/exiv2-0.13-CVE-2007-6353.patch b/exiv2-0.13-CVE-2007-6353.patch
new file mode 100644
index 0000000..13b7fe9
--- /dev/null
+++ b/exiv2-0.13-CVE-2007-6353.patch
@@ -0,0 +1,89 @@
+Index: exiv2-0.13/src/exif.cpp
+===================================================================
+--- exiv2-0.13.orig/src/exif.cpp
++++ exiv2-0.13/src/exif.cpp
+@@ -215,10 +215,12 @@ namespace Exiv2 {
+         ExifData::const_iterator sizes;
+         ExifKey key("Exif.Thumbnail.StripByteCounts");
+         sizes = exifData.findKey(key);
+-        if (sizes == exifData.end()) return 2;
++        if (sizes == exifData.end()) return 1;
+ 
+-        long totalSize = 0;
++        uint32_t totalSize = 0;
+         for (long i = 0; i < sizes->count(); ++i) {
++            uint32_t size = sizes->toLong(i);
++            if (size > 0xffffffff - totalSize) return 1;
+             totalSize += sizes->toLong(i);
+         }
+         DataBuf stripsBuf(totalSize);
+@@ -228,21 +230,23 @@ namespace Exiv2 {
+         ExifData::iterator stripOffsets;
+         key = ExifKey("Exif.Thumbnail.StripOffsets");
+         stripOffsets = exifData.findKey(key);
+-        if (stripOffsets == exifData.end()) return 2;
+-        if (stripOffsets->count() != sizes->count()) return 2;
++        if (stripOffsets == exifData.end()) return 1;
++        if (stripOffsets->count() != sizes->count()) return 1;
+ 
+         std::ostringstream os; // for the strip offsets
+-        long currentOffset = 0;
+-        long firstOffset = stripOffsets->toLong(0);
+-        long lastOffset = 0;
+-        long lastSize = 0;
++        uint32_t currentOffset = 0;
++        uint32_t firstOffset = stripOffsets->toLong(0);
++        uint32_t lastOffset = 0;
++        uint32_t lastSize = 0;
+         for (long i = 0; i < stripOffsets->count(); ++i) {
+-            long offset = stripOffsets->toLong(i);
++            uint32_t offset = stripOffsets->toLong(i);
+             lastOffset = offset;
+-            long size = sizes->toLong(i);
++            uint32_t size = sizes->toLong(i);
+             lastSize = size;
+-            if (len < offset + size) return 1;
+-
++            if (   size > 0xffffffff - offset
++                || static_cast<uint32_t>(len) < offset + size) {
++                return 2;
++            }
+             memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);
+             os << currentOffset << " ";
+             currentOffset += size;
+@@ -303,12 +307,15 @@ namespace Exiv2 {
+         ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");
+         ExifData::iterator format = exifData.findKey(key);
+         if (format == exifData.end()) return 1;
+-        long offset = format->toLong();
++        uint32_t offset = format->toLong();
+         key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");
+         ExifData::const_iterator length = exifData.findKey(key);
+         if (length == exifData.end()) return 1;
+-        long size = length->toLong();
+-        if (len < offset + size) return 2;
++        uint32_t size = length->toLong();
++        if (   size > 0xffffffff - offset
++            || static_cast<uint32_t>(len) < offset + size) {
++            return 2;
++        }
+         format->setDataArea(buf + offset, size);
+         format->setValue("0");
+         if (pIfd1) {
+@@ -595,8 +602,14 @@ namespace Exiv2 {
+         if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());
+         if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());
+         if (pIfd1_)   add(pIfd1_->begin(),   pIfd1_->end(),   byteOrder());
+-        // Read the thumbnail (but don't worry whether it was successful or not)
+-        readThumbnail();
++        // Finally, read the thumbnail
++        rc = readThumbnail();
++        if (0 < rc) {
++#ifndef SUPPRESS_WARNINGS
++            std::cerr << "Warning: Failed to read thumbnail, rc = "
++                      << rc << "\n";
++#endif
++        }
+ 
+         return 0;
+     } // ExifData::load
diff --git a/exiv2.spec b/exiv2.spec
index 82f0b4b..4e98a0d 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -7,7 +7,7 @@
 Summary: Exif and Iptc metadata manipulation library
 Name:	 exiv2
 Version: 0.15
-Release: 4%{?dist}.1
+Release: 5%{?dist}
 
 License: GPLv2+
 Group:	 Applications/Multimedia
@@ -22,6 +22,7 @@ BuildRequires: doxygen graphviz libxslt
 
 Patch1: exiv2-0.11-no_rpath.patch
 Patch2: exiv2-0.9.1-deps.patch
+Patch3: exiv2-0.13-CVE-2007-6353.patch 
 
 %if 0%{?libs}
 Requires: %{name}-libs = %{version}-%{release}
@@ -71,6 +72,7 @@ methods for Exif thumbnails, classes to access Ifd and so on.
 
 %patch1 -p1 -b .no_rpath
 %patch2 -p1 -b .deps
+%patch3 -p1 -b .CVE-2007-6353
 
 mkdir doc/html
 
@@ -125,6 +127,9 @@ rm -rf $FPM_BUILD_ROOT
 
 
 %changelog
+* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-5
+- CVE-2007-6353 (#425921)
+
 * Tue Sep 18 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 0.15-4
 - -libs: -Requires: %%name