+2009-03-21 Lutz Mueller <lutz@users.sourceforge.net>
+
+ Meder Kydyraliev <meder.k@gmail.com> suggested to add some sanity
+ checks:
+
+ * libexif/exif-data.c (exif_data_load_entry),
+ (exif_data_load_data_thumbnail)
+ * libexif/canon/exif_mnote-data-canon.c
+ (exif_mnote_data_canon_load)
+ * libexif/fuji/exif-mnote-data-fuji.c
+ (exif_mnote_data_fuji_load)
+ * libexif/olympus/exif-mnote-data-olympus.c
+ (exif_mnote_data_olympus_load)
+ * libexif/pentax/exif-mnote-data-pentax.c
+ (exif_mnote_data_pentax_load)
+
2009-03-16 Lutz Mueller <lutz@users.sourceforge.net>
* libexif/canon/exif-mnote-data-canon.c:
}
o += 8;
if (s > 4) o = exif_get_long (buf + o, n->order) + 6;
- if (o + s > buf_size) {
+ if ((o + s < s) || (o + s < o) || (o + s > buf_size)) {
exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteCanon",
"Tag data past end of buffer (%u > %u)",
doff = offset + 8;
/* Sanity checks */
- if ((doff + s < doff) || (doff + s < s))
- return 0;
- if (size < doff + s)
+ if ((doff + s < doff) || (doff + s < s) || (doff + s > size))
return 0;
entry->data = exif_data_alloc (data, s);
static void
exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
- unsigned int ds, ExifLong offset, ExifLong size)
+ unsigned int ds, ExifLong o, ExifLong s)
{
- if ((ds < offset + size) || (offset > ds)) {
+ /* Sanity checks */
+ if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"Bogus thumbnail offset (%u) or size (%u).",
- offset, size);
+ o, s);
return;
}
+
if (data->data)
exif_mem_free (data->priv->mem, data->data);
- data->size = size;
- data->data = exif_data_alloc (data, data->size);
- if (!data->data)
+ if (!(data->data = exif_data_alloc (data, s))) {
+ data->size = 0;
return;
- memcpy (data->data, d + offset, data->size);
+ }
+ data->size = s;
+ memcpy (data->data, d + o, s);
}
#undef CHECK_REC
size_t i, o, s, datao = 6 + n->offset;
MnoteFujiEntry *t;
- if (!n || !buf || !buf_size || (buf_size < datao + 12)) return;
+ if (!n || !buf || !buf_size || (datao + 12 < datao) ||
+ (datao + 12 < 12) || (datao + 12 > buf_size))
+ return;
/* Read the number of entries and remove old ones. */
n->order = EXIF_BYTE_ORDER_INTEL;
datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL);
+ if ((datao + 2 < datao) || (datao + 2 < 2))
+ return;
c = exif_get_short (buf + datao, EXIF_BYTE_ORDER_INTEL);
datao += 2;
exif_mnote_data_fuji_clear (n);
if (!s) return;
o += 8;
if (s > 4) o = exif_get_long (buf + o, n->order) + 6 + n->offset;
- if (o + s > buf_size) {
- exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataFuji",
- "Tag data past end of buffer (%u > %u)",
- o+s, buf_size);
+ if ((o + s < o) || (o + s < s) || (o + s > buf_size)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataFuji", "Tag data past end of "
+ "buffer (%u > %u)", o + s, buf_size);
return;
}
/* Parse all c entries, storing ones that are successfully parsed */
for (i = c, tcount = 0, o = o2; i; --i, o += 12) {
size_t dataofs;
- if (o + 12 > buf_size) {
+ if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteOlympus", "Short MakerNote");
break;
}
#endif
}
- if (dataofs + s > buf_size) {
+ if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+ (dataofs + s > buf_size)) {
exif_log (en->log, EXIF_LOG_CODE_DEBUG,
"ExifMnoteOlympus",
"Tag data past end of buffer (%u > %u)",
- dataofs+s, buf_size);
+ dataofs + s, buf_size);
continue;
}
if (!s) return;
o += 8;
if (s > 4) o = exif_get_long (buf + o, n->order) + 6;
- if (o + s > buf_size) {
- exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataPentax",
- "Tag data past end of buffer (%u > %u)",
- o+s, buf_size);
+ if ((o + s < o) || (o + s < s) || (o + s > buf_size)) {
+ exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+ "ExifMnoteDataPentax", "Tag data past end "
+ "of buffer (%u > %u)", o + s, buf_size);
return;
}