Revbump to fix security bug #92035. Stable on amd64, sparc, and x86.

(Portage version: 2.0.51.21-r1)

4 files changed, 138 insertions, 0 deletions

diff --git a/media-libs/libexif/files/digest-libexif-0.5.12-r3 b/media-libs/libexif/files/digest-libexif-0.5.12-r3
new file mode 100644
index 000000000000..83a5d8ba424e
--- /dev/null
+++ b/media-libs/libexif/files/digest-libexif-0.5.12-r3
@@ -0,0 +1 @@
+MD5 97e17fa05cb638eed5e8e59db431ed3a libexif-0.5.12.tar.gz 443724
diff --git a/media-libs/libexif/files/digest-libexif-0.6.12-r3 b/media-libs/libexif/files/digest-libexif-0.6.12-r4
index 09504fee0be0..09504fee0be0 100644
--- a/media-libs/libexif/files/digest-libexif-0.6.12-r3
+++ b/media-libs/libexif/files/digest-libexif-0.6.12-r4
diff --git a/media-libs/libexif/files/libexif-0.5.12-recurse.patch b/media-libs/libexif/files/libexif-0.5.12-recurse.patch
new file mode 100644
index 000000000000..a877c7f22ac2
--- /dev/null
+++ b/media-libs/libexif/files/libexif-0.5.12-recurse.patch
@@ -0,0 +1,67 @@
+diff -Naurp libexif-0.5.12.orig/libexif/exif-data.c libexif-0.5.12/libexif/exif-data.c
+--- libexif-0.5.12.orig/libexif/exif-data.c	2005-05-09 13:40:51.000000000 -0700
++++ libexif-0.5.12/libexif/exif-data.c	2005-05-09 13:43:26.000000000 -0700
+@@ -172,9 +172,10 @@ exif_data_load_data_thumbnail (ExifData 
+ }
+ 
+ static void
+-exif_data_load_data_content (ExifData *data, ExifContent *ifd,
+-			     const unsigned char *d,
+-			     unsigned int ds, unsigned int offset)
++exif_data_load_data_content_recurse (ExifData *data, ExifContent *ifd,
++				     const unsigned char *d,
++				     unsigned int ds, unsigned int offset,
++				     unsigned int level)
+ {
+ 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ 	ExifShort n;
+@@ -182,6 +183,11 @@ exif_data_load_data_content (ExifData *d
+ 	unsigned int i;
+ 	ExifTag tag;
+ 
++	if (level > 150)
++	  {
++	    return 0;
++	  }
++
+ 	/* Read the number of entries */
+ 	n = exif_get_short (d + offset, data->priv->order);
+ #ifdef DEBUG
+@@ -205,16 +213,16 @@ exif_data_load_data_content (ExifData *d
+ 					   data->priv->order);
+ 			switch (tag) {
+ 			case EXIF_TAG_EXIF_IFD_POINTER:
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_EXIF], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_EXIF], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_GPS], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_GPS], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ #ifdef DEBUG
+@@ -252,6 +260,14 @@ exif_data_load_data_content (ExifData *d
+ }
+ 
+ static void
++exif_data_load_data_content (ExifData *data, ExifContent *ifd,
++			     const unsigned char *d,
++			     unsigned int ds, unsigned int offset)
++{
++  exif_data_load_data_content_recurse (data, ifd, d, ds, offset, 0);
++}
++
++static void
+ exif_data_save_data_content (ExifData *data, ExifContent *ifd,
+ 			     unsigned char **d, unsigned int *ds,
+ 			     unsigned int offset)
diff --git a/media-libs/libexif/files/libexif-0.6.12-recurse.patch b/media-libs/libexif/files/libexif-0.6.12-recurse.patch
new file mode 100644
index 000000000000..acd1caecb50f
--- /dev/null
+++ b/media-libs/libexif/files/libexif-0.6.12-recurse.patch
@@ -0,0 +1,70 @@
+--- libexif-0.6.12/libexif/exif-data.c.recurse	2005-05-06 13:35:17.610294000 -0400
++++ libexif-0.6.12/libexif/exif-data.c	2005-05-06 13:37:35.112654000 -0400
+@@ -284,9 +284,10 @@
+ }
+ 
+ static void
+-exif_data_load_data_content (ExifData *data, ExifContent *ifd,
+-			     const unsigned char *d,
+-			     unsigned int ds, unsigned int offset)
++exif_data_load_data_content_recurse (ExifData *data, ExifContent *ifd,
++				     const unsigned char *d,
++				     unsigned int ds, unsigned int offset,
++				     unsigned int level)
+ {
+ 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ 	ExifShort n;
+@@ -296,6 +297,13 @@
+ 
+ 	if (!data || !data->priv) return;
+ 
++	if (level > 150)
++	  {
++	    exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
++		      "Deep recursion in exif_data_load_data_content");
++	    return 0;
++	  }
++
+ 	/* Read the number of entries */
+ 	if (offset >= ds - 1) return;
+ 	n = exif_get_short (d + offset, data->priv->order);
+@@ -320,18 +328,18 @@
+ 			switch (tag) {
+ 			case EXIF_TAG_EXIF_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_EXIF);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_EXIF], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_EXIF], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_GPS);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_GPS], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_GPS], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ 				thumbnail_offset = o;
+@@ -373,6 +381,14 @@
+ }
+ 
+ static void
++exif_data_load_data_content (ExifData *data, ExifContent *ifd,
++			     const unsigned char *d,
++			     unsigned int ds, unsigned int offset)
++{
++  exif_data_load_data_content_recurse (data, ifd, d, ds, offset, 0);
++}
++
++static void
+ exif_data_save_data_content (ExifData *data, ExifContent *ifd,
+ 			     unsigned char **d, unsigned int *ds,
+ 			     unsigned int offset)