/* exif-mnote-data-canon.c
*
- * Copyright © 2002, 2003 Lutz Müller <lutz@users.sourceforge.net>
- * Copyright © 2003 Matthieu Castet <mat-c@users.sourceforge.net>
+ * Copyright (c) 2002, 2003 Lutz Mueller <lutz@users.sourceforge.net>
+ * Copyright (c) 2003 Matthieu Castet <mat-c@users.sourceforge.net>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the
- * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- * Boston, MA 02111-1307, USA.
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
*/
#include <config.h>
#include <libexif/exif-utils.h>
#include <libexif/exif-data.h>
-#define DEBUG
+#define CHECKOVERFLOW(offset,datasize,structsize) (( offset >= datasize) || (structsize > datasize) || (offset > datasize - structsize ))
static void
exif_mnote_data_canon_clear (ExifMnoteDataCanon *n)
{
+ ExifMnoteData *d = (ExifMnoteData *) n;
unsigned int i;
if (!n) return;
if (n->entries) {
for (i = 0; i < n->count; i++)
if (n->entries[i].data) {
- free (n->entries[i].data);
+ exif_mem_free (d->mem, n->entries[i].data);
n->entries[i].data = NULL;
}
- free (n->entries);
+ exif_mem_free (d->mem, n->entries);
n->entries = NULL;
n->count = 0;
}
exif_mnote_data_canon_clear ((ExifMnoteDataCanon *) n);
}
+static void
+exif_mnote_data_canon_get_tags (ExifMnoteDataCanon *dc, unsigned int n,
+ unsigned int *m, unsigned int *s)
+{
+ unsigned int from = 0, to;
+
+ if (!dc || !m) return;
+ for (*m = 0; *m < dc->count; (*m)++) {
+ to = from + mnote_canon_entry_count_values (&dc->entries[*m]);
+ if (to > n) {
+ if (s) *s = n - from;
+ break;
+ }
+ from = to;
+ }
+}
+
static char *
-exif_mnote_data_canon_get_value (ExifMnoteData *note, unsigned int n)
+exif_mnote_data_canon_get_value (ExifMnoteData *note, unsigned int n, char *val, unsigned int maxlen)
{
- ExifMnoteDataCanon *cnote = (ExifMnoteDataCanon *) note;
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) note;
+ unsigned int m, s;
- if (!note) return NULL;
- if (cnote->count <= n) return NULL;
- return mnote_canon_entry_get_value (&cnote->entries[n]);
+ if (!dc) return NULL;
+ exif_mnote_data_canon_get_tags (dc, n, &m, &s);
+ if (m >= dc->count) return NULL;
+ return mnote_canon_entry_get_value (&dc->entries[m], s, val, maxlen);
}
static void
{
ExifByteOrder o_orig;
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) d;
- unsigned int i, fs;
- ExifShort s;
- ExifLong l;
- ExifSLong sl;
- ExifRational r;
- ExifSRational sr;
+ unsigned int i;
if (!n) return;
o_orig = n->order;
n->order = o;
for (i = 0; i < n->count; i++) {
+ if (n->entries[i].components && (n->entries[i].size/n->entries[i].components < exif_format_get_size (n->entries[i].format)))
+ continue;
n->entries[i].order = o;
- fs = exif_format_get_size (n->entries[i].format);
- switch (n->entries[i].format) {
- case EXIF_FORMAT_SHORT:
- for (i = 0; i < n->entries[i].components; i++) {
- s = exif_get_short (n->entries[i].data + (i*fs),
- o_orig);
- exif_set_short (n->entries[i].data + (i * fs),
- o, s);
- }
- break;
- case EXIF_FORMAT_LONG:
- for (i = 0; i < n->entries[i].components; i++) {
- l = exif_get_long (n->entries[i].data + (i*fs),
- o_orig);
- exif_set_long (n->entries[i].data + (i * fs),
- o, l);
- }
- break;
- case EXIF_FORMAT_RATIONAL:
- for (i = 0; i < n->entries[i].components; i++) {
- r = exif_get_rational (n->entries[i].data +
- (i * fs), o_orig);
- exif_set_rational (n->entries[i].data +
- (i * fs), o, r);
- }
- break;
- case EXIF_FORMAT_SLONG:
- for (i = 0; i < n->entries[i].components; i++) {
- sl = exif_get_slong (n->entries[i].data +
- (i * fs), o_orig);
- exif_set_slong (n->entries[i].data +
- (i * fs), o, sl);
- }
- break;
- case EXIF_FORMAT_SRATIONAL:
- for (i = 0; i < n->entries[i].components; i++) {
- sr = exif_get_srational (n->entries[i].data +
- (i * fs), o_orig);
- exif_set_srational (n->entries[i].data +
- (i * fs), o, sr);
- }
- break;
- case EXIF_FORMAT_UNDEFINED:
- case EXIF_FORMAT_BYTE:
- case EXIF_FORMAT_ASCII:
- default:
- /* Nothing here. */
- break;
- }
+ exif_array_set_byte_order (n->entries[i].format, n->entries[i].data,
+ n->entries[i].components, o_orig, o);
}
}
unsigned char **buf, unsigned int *buf_size)
{
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
- unsigned int i, o, s, doff;
+ size_t i, o, s, doff;
+ unsigned char *t;
+ size_t ts;
if (!n || !buf || !buf_size) return;
* of entries.
*/
*buf_size = 2 + n->count * 12 + 4;
- *buf = malloc (sizeof (char) * *buf_size);
- if (!*buf) return;
- memset (*buf, 0, sizeof (char) * *buf_size);
+ *buf = exif_mem_alloc (ne->mem, sizeof (char) * *buf_size);
+ if (!*buf) {
+ EXIF_LOG_NO_MEMORY(ne->log, "ExifMnoteCanon", *buf_size);
+ return;
+ }
/* Save the number of entries */
- exif_set_short (*buf, n->order, n->count);
+ exif_set_short (*buf, n->order, (ExifShort) n->count);
/* Save each entry */
for (i = 0; i < n->count; i++) {
o = 2 + i * 12;
- exif_set_short (*buf + o + 0, n->order, n->entries[i].tag);
- exif_set_short (*buf + o + 2, n->order, n->entries[i].format);
+ exif_set_short (*buf + o + 0, n->order, (ExifShort) n->entries[i].tag);
+ exif_set_short (*buf + o + 2, n->order, (ExifShort) n->entries[i].format);
exif_set_long (*buf + o + 4, n->order,
n->entries[i].components);
o += 8;
s = exif_format_get_size (n->entries[i].format) *
n->entries[i].components;
+ if (s > 65536) {
+ /* Corrupt data: EXIF data size is limited to the
+ * maximum size of a JPEG segment (64 kb).
+ */
+ continue;
+ }
if (s > 4) {
- *buf_size += s;
- *buf = realloc (*buf, sizeof (char) * *buf_size);
- if (!*buf) return;
+ ts = *buf_size + s;
+
+ /* Ensure even offsets. Set padding bytes to 0. */
+ if (s & 1) ts += 1;
+ t = exif_mem_realloc (ne->mem, *buf,
+ sizeof (char) * ts);
+ if (!t) {
+ EXIF_LOG_NO_MEMORY(ne->log, "ExifMnoteCanon", ts);
+ return;
+ }
+ *buf = t;
+ *buf_size = ts;
doff = *buf_size - s;
+ if (s & 1) { doff--; *(*buf + *buf_size - 1) = '\0'; }
exif_set_long (*buf + o, n->order, n->offset + doff);
} else
doff = o;
- /* Write the data. Fill unneeded bytes with 0. */
- memcpy (*buf + doff, n->entries[i].data, s);
+ /*
+ * Write the data. Fill unneeded bytes with 0. Do not
+ * crash if data is NULL.
+ */
+ if (!n->entries[i].data) memset (*buf + doff, 0, s);
+ else memcpy (*buf + doff, n->entries[i].data, s);
if (s < 4) memset (*buf + doff + s, 0, (4 - s));
}
}
+/* XXX
+ * FIXME: exif_mnote_data_canon_load() may fail and there is no
+ * semantics to express that.
+ * See bug #1054323 for details, especially the comment by liblit
+ * after it has supposedly been fixed:
+ *
+ * https://sourceforge.net/tracker/?func=detail&aid=1054323&group_id=12272&atid=112272
+ * Unfortunately, the "return" statements aren't commented at
+ * all, so it isn't trivial to find out what is a normal
+ * return, and what is a reaction to an error condition.
+ */
+
static void
exif_mnote_data_canon_load (ExifMnoteData *ne,
const unsigned char *buf, unsigned int buf_size)
{
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
ExifShort c;
- unsigned int i, o, s;
+ size_t i, tcount, o, datao;
- if (!n || !buf || !buf_size || (buf_size < 6 + n->offset + 2)) return;
+ if (!n || !buf || !buf_size) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ return;
+ }
+ datao = 6 + n->offset;
+ if (CHECKOVERFLOW(datao, buf_size, 2)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ return;
+ }
- /* Read the number of entries and remove old ones. */
- c = exif_get_short (buf + 6 + n->offset, n->order);
+ /* Read the number of tags */
+ c = exif_get_short (buf + datao, n->order);
+ datao += 2;
+
+ /* Remove any old entries */
exif_mnote_data_canon_clear (n);
+ /* Reserve enough space for all the possible MakerNote tags */
+ n->entries = exif_mem_alloc (ne->mem, sizeof (MnoteCanonEntry) * c);
+ if (!n->entries) {
+ EXIF_LOG_NO_MEMORY(ne->log, "ExifMnoteCanon", sizeof (MnoteCanonEntry) * c);
+ return;
+ }
+
/* Parse the entries */
- for (i = 0; i < c; i++) {
- o = 6 + 2 + n->offset + 12 * i;
- if (o + 8 > buf_size) return;
-
- n->count = i + 1;
- n->entries = realloc (n->entries, sizeof (MnoteCanonEntry) * (i+1));
- memset (&n->entries[i], 0, sizeof (MnoteCanonEntry));
- n->entries[i].tag = exif_get_short (buf + o, n->order);
- n->entries[i].format = exif_get_short (buf + o + 2, n->order);
- n->entries[i].components = exif_get_long (buf + o + 4, n->order);
- n->entries[i].order = n->order;
-
- /*
- * Size? If bigger than 4 bytes, the actual data is not
- * in the entry but somewhere else (offset).
- */
- s = exif_format_get_size (n->entries[i].format) *
- n->entries[i].components;
- if (!s) return;
- o += 8;
- if (s > 4) o = exif_get_long (buf + o, n->order) + 6;
- if (o + s > buf_size) return;
-
- /* Sanity check */
- n->entries[i].data = malloc (sizeof (char) * s);
- if (!n->entries[i].data) return;
- memset (n->entries[i].data, 0, sizeof (char) * s);
- n->entries[i].size = s;
- memcpy (n->entries[i].data, buf + o, s);
+ tcount = 0;
+ for (i = c, o = datao; i; --i, o += 12) {
+ size_t s;
+
+ memset(&n->entries[tcount], 0, sizeof(MnoteCanonEntry));
+ if (CHECKOVERFLOW(o,buf_size,12)) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Short MakerNote");
+ break;
+ }
+
+ n->entries[tcount].tag = exif_get_short (buf + o, n->order);
+ n->entries[tcount].format = exif_get_short (buf + o + 2, n->order);
+ n->entries[tcount].components = exif_get_long (buf + o + 4, n->order);
+ n->entries[tcount].order = n->order;
+
+ exif_log (ne->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteCanon",
+ "Loading entry 0x%x ('%s')...", n->entries[tcount].tag,
+ mnote_canon_tag_get_name (n->entries[tcount].tag));
+
+ /* Check if we overflow the multiplication. Use buf_size as the max size for integer overflow detection,
+ * we will check the buffer sizes closer later. */
+ if ( exif_format_get_size (n->entries[tcount].format) &&
+ buf_size / exif_format_get_size (n->entries[tcount].format) < n->entries[tcount].components
+ ) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon", "Tag size overflow detected (%u * %lu)", exif_format_get_size (n->entries[tcount].format), n->entries[tcount].components);
+ continue;
+ }
+
+ /*
+ * Size? If bigger than 4 bytes, the actual data is not
+ * in the entry but somewhere else (offset).
+ */
+ s = exif_format_get_size (n->entries[tcount].format) *
+ n->entries[tcount].components;
+ n->entries[tcount].size = s;
+ if (!s) {
+ exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteCanon",
+ "Invalid zero-length tag size");
+ continue;
+
+ } else {
+ size_t dataofs = o + 8;
+ if (s > 4) dataofs = exif_get_long (buf + dataofs, n->order) + 6;
+
+ if (CHECKOVERFLOW(dataofs, buf_size, s)) {
+ exif_log (ne->log, EXIF_LOG_CODE_DEBUG,
+ "ExifMnoteCanon",
+ "Tag data past end of buffer (%u > %u)",
+ (unsigned)(dataofs + s), buf_size);
+ continue;
+ }
+
+ n->entries[tcount].data = exif_mem_alloc (ne->mem, s);
+ if (!n->entries[tcount].data) {
+ EXIF_LOG_NO_MEMORY(ne->log, "ExifMnoteCanon", s);
+ continue;
+ }
+ memcpy (n->entries[tcount].data, buf + dataofs, s);
+ }
+
+ /* Tag was successfully parsed */
+ ++tcount;
}
+ /* Store the count of successfully parsed tags */
+ n->count = tcount;
}
static unsigned int
exif_mnote_data_canon_count (ExifMnoteData *n)
{
- return n ? ((ExifMnoteDataCanon *) n)->count : 0;
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) n;
+ unsigned int i, c;
+
+ for (i = c = 0; dc && (i < dc->count); i++)
+ c += mnote_canon_entry_count_values (&dc->entries[i]);
+ return c;
+}
+
+static unsigned int
+exif_mnote_data_canon_get_id (ExifMnoteData *d, unsigned int i)
+{
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) d;
+ unsigned int m;
+
+ if (!dc) return 0;
+ exif_mnote_data_canon_get_tags (dc, i, &m, NULL);
+ if (m >= dc->count) return 0;
+ return dc->entries[m].tag;
}
static const char *
exif_mnote_data_canon_get_name (ExifMnoteData *note, unsigned int i)
{
- ExifMnoteDataCanon *cnote = (ExifMnoteDataCanon *) note;
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) note;
+ unsigned int m, s;
- if (!note) return NULL;
- if (i >= cnote->count) return NULL;
- return mnote_canon_tag_get_name (cnote->entries[i].tag);
+ if (!dc) return NULL;
+ exif_mnote_data_canon_get_tags (dc, i, &m, &s);
+ if (m >= dc->count) return NULL;
+ return mnote_canon_tag_get_name_sub (dc->entries[m].tag, s, dc->options);
}
static const char *
exif_mnote_data_canon_get_title (ExifMnoteData *note, unsigned int i)
{
- ExifMnoteDataCanon *cnote = (ExifMnoteDataCanon *) note;
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) note;
+ unsigned int m, s;
- if (!note) return NULL;
- if (i >= cnote->count) return NULL;
- return mnote_canon_tag_get_title (cnote->entries[i].tag);
+ if (!dc) return NULL;
+ exif_mnote_data_canon_get_tags (dc, i, &m, &s);
+ if (m >= dc->count) return NULL;
+ return mnote_canon_tag_get_title_sub (dc->entries[m].tag, s, dc->options);
}
static const char *
exif_mnote_data_canon_get_description (ExifMnoteData *note, unsigned int i)
{
- ExifMnoteDataCanon *cnote = (ExifMnoteDataCanon *) note;
- if (!note) return NULL;
- if (i >= cnote->count) return NULL;
- return mnote_canon_tag_get_description (cnote->entries[i].tag);
+ ExifMnoteDataCanon *dc = (ExifMnoteDataCanon *) note;
+ unsigned int m;
+
+ if (!dc) return NULL;
+ exif_mnote_data_canon_get_tags (dc, i, &m, NULL);
+ if (m >= dc->count) return NULL;
+ return mnote_canon_tag_get_description (dc->entries[m].tag);
+}
+
+int
+exif_mnote_data_canon_identify (const ExifData *ed, const ExifEntry *e)
+{
+ char value[8];
+
+ (void) e; /* unused */
+ ExifEntry *em = exif_data_get_entry (ed, EXIF_TAG_MAKE);
+ if (!em)
+ return 0;
+ return !strcmp (exif_entry_get_value (em, value, sizeof (value)), "Canon");
}
ExifMnoteData *
-exif_mnote_data_canon_new (void)
+exif_mnote_data_canon_new (ExifMem *mem, ExifDataOption o)
{
ExifMnoteData *d;
+ ExifMnoteDataCanon *dc;
+
+ if (!mem) return NULL;
- d = malloc (sizeof (ExifMnoteDataCanon));
- if (!d) return NULL;
- memset (d, 0, sizeof (ExifMnoteDataCanon));
+ d = exif_mem_alloc (mem, sizeof (ExifMnoteDataCanon));
+ if (!d)
+ return NULL;
- exif_mnote_data_construct (d);
+ exif_mnote_data_construct (d, mem);
/* Set up function pointers */
d->methods.free = exif_mnote_data_canon_free;
d->methods.load = exif_mnote_data_canon_load;
d->methods.save = exif_mnote_data_canon_save;
d->methods.count = exif_mnote_data_canon_count;
+ d->methods.get_id = exif_mnote_data_canon_get_id;
d->methods.get_name = exif_mnote_data_canon_get_name;
d->methods.get_title = exif_mnote_data_canon_get_title;
d->methods.get_description = exif_mnote_data_canon_get_description;
d->methods.get_value = exif_mnote_data_canon_get_value;
+ dc = (ExifMnoteDataCanon*)d;
+ dc->options = o;
return d;
}