#include <libexif/olympus/exif-mnote-data-olympus.h>
#include <libexif/pentax/exif-mnote-data-pentax.h>
+#include <math.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
-#if defined(__WATCOMC__) || defined(_MSC_VER)
-# define strncasecmp strnicmp
-#endif
-
#undef JPEG_MARKER_SOI
#define JPEG_MARKER_SOI 0xd8
#undef JPEG_MARKER_APP0
doff = offset + 8;
/* Sanity checks */
- if ((doff + s < doff) || (doff + s < s) || (doff + s > size)) {
+ if (doff >= size) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+ "Tag starts past end of buffer (%u > %u)", doff, size);
+ return 0;
+ }
+
+ if (s > size - doff) {
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- "Tag data past end of buffer (%u > %u)", doff+s, size);
+ "Tag data goes past end of buffer (%u > %u)", doff+s, size);
return 0;
}
entry->size = s;
memcpy (entry->data, d + doff, s);
} else {
- /* FIXME: What do our callers do if (entry->data == NULL)? */
EXIF_LOG_NO_MEMORY(data->priv->log, "ExifData", s);
+ return 0;
}
/* If this is the MakerNote, remember the offset */
exif_mnote_data_set_offset (data->priv->md, *ds - 6);
exif_mnote_data_save (data->priv->md, &e->data, &e->size);
e->components = e->size;
+ if (exif_format_get_size (e->format) != 1) {
+ /* e->format is taken from input code,
+ * but we need to make sure it is a 1 byte
+ * entity due to the multiplication below. */
+ e->format = EXIF_FORMAT_UNDEFINED;
+ }
}
}
/* Write the data. Fill unneeded bytes with 0. Do not crash with
* e->data is NULL */
if (e->data) {
- memcpy (*d + 6 + doff, e->data, s);
+ unsigned int len = s;
+ if (e->size < s) len = e->size;
+ memcpy (*d + 6 + doff, e->data, len);
} else {
memset (*d + 6 + doff, 0, s);
}
unsigned int ds, ExifLong o, ExifLong s)
{
/* Sanity checks */
- if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
- exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- "Bogus thumbnail offset (%u) or size (%u).",
- o, s);
+ if (o >= ds) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail offset (%u).", o);
+ return;
+ }
+ if (s > ds - o) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", "Bogus thumbnail size (%u), max would be %u.", s, ds-o);
return;
}
-
if (data->data)
exif_mem_free (data->priv->mem, data->data);
if (!(data->data = exif_data_alloc (data, s))) {
break; \
}
+/*! Calculate the recursion cost added by one level of IFD loading.
+ *
+ * The work performed is related to the cost in the exponential relation
+ * work=1.1**cost
+ */
+static unsigned int
+level_cost(unsigned int n)
+{
+ static const double log_1_1 = 0.09531017980432493;
+
+ /* Adding 0.1 protects against the case where n==1 */
+ return ceil(log(n + 0.1)/log_1_1);
+}
+
/*! Load data for an IFD.
*
* \param[in,out] data #ExifData
* \param[in] d pointer to buffer containing raw IFD data
* \param[in] ds size of raw data in buffer at \c d
* \param[in] offset offset into buffer at \c d at which IFD starts
- * \param[in] recursion_depth number of times this function has been
- * recursively called without returning
+ * \param[in] recursion_cost factor indicating how expensive this recursive
+ * call could be
*/
static void
exif_data_load_data_content (ExifData *data, ExifIfd ifd,
const unsigned char *d,
- unsigned int ds, unsigned int offset, unsigned int recursion_depth)
+ unsigned int ds, unsigned int offset, unsigned int recursion_cost)
{
ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
ExifShort n;
if ((((int)ifd) < 0) || ( ((int)ifd) >= EXIF_IFD_COUNT))
return;
- if (recursion_depth > 30) {
+ if (recursion_cost > 170) {
+ /*
+ * recursion_cost is a logarithmic-scale indicator of how expensive this
+ * recursive call might end up being. It is an indicator of the depth of
+ * recursion as well as the potential for worst-case future recursive
+ * calls. Since it's difficult to tell ahead of time how often recursion
+ * will occur, this assumes the worst by assuming every tag could end up
+ * causing recursion.
+ * The value of 170 was chosen to limit typical EXIF structures to a
+ * recursive depth of about 6, but pathological ones (those with very
+ * many tags) to only 2.
+ */
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Deep recursion detected!");
+ "Deep/expensive recursion detected!");
return;
}
switch (tag) {
case EXIF_TAG_EXIF_IFD_POINTER:
CHECK_REC (EXIF_IFD_EXIF);
- exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_GPS_INFO_IFD_POINTER:
CHECK_REC (EXIF_IFD_GPS);
- exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
CHECK_REC (EXIF_IFD_INTEROPERABILITY);
- exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, recursion_depth + 1);
+ exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o,
+ recursion_cost + level_cost(n));
break;
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
thumbnail_offset = o;
break;
}
entry = exif_entry_new_mem (data->priv->mem);
+ if (!entry) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_NO_MEMORY, "ExifData",
+ "Could not allocate memory");
+ return;
+ }
if (exif_data_load_data_entry (data, entry, d, ds,
offset + 12 * i))
exif_content_add_entry (data->ifd[ifd], entry);
void
exif_data_load_data (ExifData *data, const unsigned char *d_orig,
- unsigned int ds_orig)
+ unsigned int ds)
{
unsigned int l;
ExifLong offset;
ExifShort n;
const unsigned char *d = d_orig;
- unsigned int ds = ds_orig, len;
+ unsigned int len, fullds;
- if (!data || !data->priv || !d || !ds)
+ if (!data || !data->priv || !d || !ds)
return;
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
}
if (!memcmp (d, ExifHeader, 6)) {
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
- "Found EXIF header.");
+ "Found EXIF header at start.");
} else {
- while (1) {
- while ((d[0] == 0xff) && ds) {
+ while (ds >= 3) {
+ while (ds && (d[0] == 0xff)) {
d++;
ds--;
}
/* JPEG_MARKER_SOI */
- if (d[0] == JPEG_MARKER_SOI) {
+ if (ds && d[0] == JPEG_MARKER_SOI) {
d++;
ds--;
continue;
}
- /* JPEG_MARKER_APP0 */
- if (d[0] == JPEG_MARKER_APP0) {
+ /* JPEG_MARKER_APP1 */
+ if (ds && d[0] == JPEG_MARKER_APP1)
+ break;
+
+ /* Skip irrelevant APP markers. The branch for APP1 must come before this,
+ otherwise this code block will cause APP1 to be skipped. This code path
+ is only relevant for files that are nonconformant to the EXIF
+ specification. For conformant files, the APP1 code path above will be
+ taken. */
+ if (ds >= 3 && d[0] >= 0xe0 && d[0] <= 0xef) { /* JPEG_MARKER_APPn */
d++;
ds--;
l = (d[0] << 8) | d[1];
continue;
}
- /* JPEG_MARKER_APP1 */
- if (d[0] == JPEG_MARKER_APP1)
- break;
-
/* Unknown marker or data. Give up. */
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifData", _("EXIF marker not found."));
return;
}
- d++;
- ds--;
- if (ds < 2) {
+ if (ds < 3) {
LOG_TOO_SMALL;
return;
}
+ d++;
+ ds--;
len = (d[0] << 8) | d[1];
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"We have to deal with %i byte(s) of EXIF data.",
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"Found EXIF header.");
- /* Byte order (offset 6, length 2) */
+ /* Sanity check the data length */
if (ds < 14)
return;
+
+ /* The JPEG APP1 section can be no longer than 64 KiB (including a
+ 16-bit length), so cap the data length to protect against overflow
+ in future offset calculations */
+ fullds = ds;
+ if (ds > 0xfffe)
+ ds = 0xfffe;
+
+ /* Byte order (offset 6, length 2) */
if (!memcmp (d + 6, "II", 2))
data->priv->order = EXIF_BYTE_ORDER_INTEL;
else if (!memcmp (d + 6, "MM", 2))
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 0 at %i.", (int) offset);
+ /* ds is restricted to 16 bit above, so offset is restricted too, and offset+8 should not overflow. */
+ if (offset > ds || offset + 6 + 2 > ds)
+ return;
+
/* Parse the actual exif data (usually offset 14 from start) */
exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset, 0);
/* IFD 1 offset */
- if (offset + 6 + 2 > ds) {
- return;
- }
n = exif_get_short (d + 6 + offset, data->priv->order);
- if (offset + 6 + 2 + 12 * n + 4 > ds) {
+ /* offset < 2<<16, n is 16 bit at most, so this op will not overflow */
+ if (offset + 6 + 2 + 12 * n + 4 > ds)
return;
- }
+
offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
if (offset) {
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"IFD 1 at %i.", (int) offset);
- /* Sanity check. */
+ /* Sanity check. ds is ensured to be above 6 above, offset is 16bit */
if (offset > ds - 6) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifData", "Bogus offset of IFD1.");
* space between IFDs. Here is the only place where we have access
* to that data.
*/
- interpret_maker_note(data, d, ds);
+ interpret_maker_note(data, d, fullds);
/* Fixup tags if requested */
if (data->priv->options & EXIF_DATA_OPTION_FOLLOW_SPECIFICATION)
}
if (data->data) {
- printf ("%i byte(s) thumbnail data available.", data->size);
+ printf ("%i byte(s) thumbnail data available: ", data->size);
if (data->size >= 4) {
printf ("0x%02x 0x%02x ... 0x%02x 0x%02x\n",
data->data[0], data->data[1],