mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

libgphoto2: patch CVE-2026-40333

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-40333

Backport the patch referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-20 08:27:41 +02:00
committed by Khem Raj
parent 24d9844515
commit 754e02c668
2 changed files with 153 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-graphics/gphoto2/libgphoto2/CVE-2026-40333.patch
+150
View File
@@ -0,0 +1,150 @@
From 8fefd2da7b9e2c7c448086cd251b108c0ebf1262 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Wed, 8 Apr 2026 15:18:42 +0200
Subject: [PATCH] Fixed EOS ImageFormat/CustomFuncEx Parsers Lack Length
Parameter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() accept
const unsigned char** data but no length/size parameter. They perform
unbounded reads via dtoh32o calls (up to 36 bytes for ImageFormat,
up to 1024 bytes for CustomFuncEx). Callers in ptp_unpack_EOS_events()
have xsize available but never pass it.
CVE-2026-40333
Reported-By: Sebastián Alba <sebasjosue84@gmail.com>
CVE: CVE-2026-40333
Upstream-Status: Backport [https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
camlibs/ptp2/ptp-pack.c | 53 ++++++++++++++++++++++++++++++++++-------
1 file changed, 44 insertions(+), 9 deletions(-)
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
index 09421b7..09dcc24 100644
--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
@@ -1448,7 +1448,7 @@ ptp_unpack_Canon_EOS_FE (PTPParams *params, const unsigned char* data, unsigned
static inline uint16_t
-ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
+ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data, unsigned int *size )
{
/*
EOS ImageFormat entries look are a sequence of u32 values:
@@ -1492,30 +1492,57 @@ ptp_unpack_EOS_ImageFormat (PTPParams* params, const unsigned char** data )
const uint8_t* d = *data;
uint32_t offset = 0;
- uint32_t n = dtoh32o (d, offset);
+ uint32_t n;
uint32_t l, t1, s1, c1, t2 = 0, s2 = 0, c2 = 0;
+ if (*size < sizeof(uint32_t)) {
+ ptp_debug (params, "parsing EOS ImageFormat property failed 1 (size %d)", *size);
+ return 0;
+ }
+ n = dtoh32o (d, offset);
+ *size -= sizeof(uint32_t);
+
if (n != 1 && n !=2) {
ptp_debug (params, "parsing EOS ImageFormat property failed (n != 1 && n != 2: %d)", n);
return 0;
}
-
+ if (*size < sizeof(uint32_t)) {
+ ptp_debug (params, "parsing EOS ImageFormat property failed 2 (size %d)", *size);
+ return 0;
+ }
l = dtoh32o (d, offset);
+ *size -= sizeof(uint32_t);
+
if (l != 0x10) {
ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
return 0;
}
+ if (*size < 3*sizeof(uint32_t)) {
+ ptp_debug (params, "parsing EOS ImageFormat property failed 3 (size %d)", *size);
+ return 0;
+ }
t1 = dtoh32o (d, offset);
s1 = dtoh32o (d, offset);
c1 = dtoh32o (d, offset);
+ *size -= 3*sizeof(uint32_t);
if (n == 2) {
+ if (*size < sizeof(uint32_t)) {
+ ptp_debug (params, "parsing EOS ImageFormat property failed 4 (size %d)", *size);
+ return 0;
+ }
l = dtoh32o (d, offset);
+ *size -= sizeof(uint32_t);
+
if (l != 0x10) {
ptp_debug (params, "parsing EOS ImageFormat property failed (l != 0x10: 0x%x)", l);
return 0;
}
+ if (*size < 3*sizeof(uint32_t)) {
+ ptp_debug (params, "parsing EOS ImageFormat property failed 5 (size %d)", *size);
+ return 0;
+ }
t2 = dtoh32o (d, offset);
s2 = dtoh32o (d, offset);
c2 = dtoh32o (d, offset);
@@ -1668,12 +1695,20 @@ ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint3
static inline char*
-ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data )
+ptp_unpack_EOS_CustomFuncEx (PTPParams* params, const unsigned char** data, unsigned int *size )
{
- uint32_t s = dtoh32a( *data );
- uint32_t n = s/4, i;
+ uint32_t s, n, i;
char *str, *p;
+ if (*size < sizeof(uint32_t))
+ return strdup("bad length");
+
+ s = dtoh32a( *data );
+ n = s/4;
+
+ if (*size < 4+s)
+ return strdup("bad length");
+
if (s > 1024) {
ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
return strdup("bad length");
@@ -1962,7 +1997,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
case PTP_DPC_CANON_EOS_ImageFormatExtHD:
/* special handling of ImageFormat properties */
for (j=0;j<dpd_count;j++) {
- dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
+ dpd->FORM.Enum.SupportedValue[j].u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
ptp_debug (params, INDENT "prop %x option[%2d] == 0x%04x", dpc, j, dpd->FORM.Enum.SupportedValue[j].u16);
}
break;
@@ -2267,7 +2302,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
case PTP_DPC_CANON_EOS_ImageFormatSD:
case PTP_DPC_CANON_EOS_ImageFormatExtHD:
dpd->DataType = PTP_DTC_UINT16;
- dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata );
+ dpd->DefaultValue.u16 = ptp_unpack_EOS_ImageFormat( params, &xdata, &xsize );
dpd->CurrentValue.u16 = dpd->DefaultValue.u16;
ptp_debug (params, INDENT "prop %x value == 0x%04x (u16)", dpc, dpd->CurrentValue.u16);
break;
@@ -2275,7 +2310,7 @@ ptp_unpack_EOS_events (PTPParams *params, const unsigned char* data, unsigned in
dpd->DataType = PTP_DTC_STR;
free (dpd->DefaultValue.str);
free (dpd->CurrentValue.str);
- dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata );
+ dpd->DefaultValue.str = ptp_unpack_EOS_CustomFuncEx( params, &xdata, &xsize );
dpd->CurrentValue.str = strdup( (char*)dpd->DefaultValue.str );
ptp_debug (params, INDENT "prop %x value == %s", dpc, dpd->CurrentValue.str);
break;
meta-oe/recipes-graphics/gphoto2/libgphoto2_2.5.33.bb
+3 -2
View File
@@ -12,8 +12,9 @@ DEPENDS = "libtool jpeg virtual/libusb0 libexif zlib libxml2"
SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \ SRC_URI = "${SOURCEFORGE_MIRROR}/gphoto/${BP}.tar.xz;name=libgphoto2 \
file://40-libgphoto2.rules \ file://40-libgphoto2.rules \
file://0001-configure-Filter-out-buildpaths-from-CC.patch \ file://0001-configure-Filter-out-buildpaths-from-CC.patch \
file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \ file://0001-libgphoto2-fix-const-correctness-for-c23-builds.patch \
" file://CVE-2026-40333.patch \
"
SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2" SRC_URI[libgphoto2.sha256sum] = "28825f767a85544cb58f6e15028f8e53a5bb37a62148b3f1708b524781c3bef2"
UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/" UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/gphoto/files/libgphoto/"