Fix stack buffer overflows in exif_content_dump and exif_entry_dump.

[platform/upstream/libexif.git] / libexif / exif-content.c

diff --git a/libexif/exif-content.c b/libexif/exif-content.c
index a79d1f2..7338ee8 100644 (file)
--- a/libexif/exif-content.c
+++ b/libexif/exif-content.c
@@ -14,8 +14,8 @@
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this library; if not, write to the
- * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
- * Boston, MA 02111-1307, USA.
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA  02110-1301  USA.
  */
 
 #include <config.h>
@@ -78,12 +78,18 @@ exif_content_new_mem (ExifMem *mem)
 void
 exif_content_ref (ExifContent *content)
 {
+       if (!content)
+               return;
+
        content->priv->ref_count++;
 }
 
 void
 exif_content_unref (ExifContent *content)
 {
+       if (!content)
+               return;
+
        content->priv->ref_count--;
        if (!content->priv->ref_count)
                exif_content_free (content);
@@ -114,15 +120,15 @@ void
 exif_content_dump (ExifContent *content, unsigned int indent)
 {
        char buf[1024];
-       unsigned int i;
-
-       for (i = 0; i < 2 * indent; i++)
-               buf[i] = ' ';
-       buf[i] = '\0';
+       unsigned int i, l;
 
        if (!content)
                return;
 
+       l = MIN(sizeof(buf)-1, 2*indent);
+       memset(buf, ' ', l);
+       buf[l] = '\0';
+
        printf ("%sDumping exif content (%u entries)...\n", buf,
                content->count);
        for (i = 0; i < content->count; i++)
@@ -162,8 +168,12 @@ exif_content_remove_entry (ExifContent *c, ExifEntry *e)
        if (!c || !c->priv || !e || (e->parent != c)) return;
 
        /* Search the entry */
-       for (i = 0; i < c->count; i++) if (c->entries[i] == e) break;
-       if (i == c->count) return;
+       for (i = 0; i < c->count; i++)
+                       if (c->entries[i] == e)
+                                       break;
+
+       if (i == c->count)
+                       return;
 
        /* Remove the entry */
        temp = c->entries[c->count-1];
@@ -232,9 +242,9 @@ exif_content_get_ifd (ExifContent *c)
        if (!c || !c->parent) return EXIF_IFD_COUNT;
 
        return 
+               ((c)->parent->ifd[EXIF_IFD_EXIF] == (c)) ? EXIF_IFD_EXIF :
                ((c)->parent->ifd[EXIF_IFD_0] == (c)) ? EXIF_IFD_0 :
                ((c)->parent->ifd[EXIF_IFD_1] == (c)) ? EXIF_IFD_1 :
-               ((c)->parent->ifd[EXIF_IFD_EXIF] == (c)) ? EXIF_IFD_EXIF :
                ((c)->parent->ifd[EXIF_IFD_GPS] == (c)) ? EXIF_IFD_GPS :
                ((c)->parent->ifd[EXIF_IFD_INTEROPERABILITY] == (c)) ? EXIF_IFD_INTEROPERABILITY :
                EXIF_IFD_COUNT;
@@ -291,9 +301,9 @@ exif_content_fix (ExifContent *c)
        /*
         * Go through each tag and if it's not recorded, remove it. If one
         * is removed, exif_content_foreach_entry() will skip the next entry,
-        * so do the loop again from the beginning if this happens to ensure
+        * so if this happens do the loop again from the beginning to ensure
         * they're all checked. This could be avoided if we stop relying on
-        * exif_content_foreach_entry.
+        * exif_content_foreach_entry but loop intelligently here.
         */
        do {
                num = c->count;