projects
/
platform
/
upstream
/
libexif.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
28d48ae
)
Fixed an off-by-one error in exif_convert_utf16_to_utf8()
author
Dan Fandrich
<dan@coneharvesters.com>
Thu, 12 Jul 2012 17:11:30 +0000
(10:11 -0700)
committer
Dan Fandrich
<dan@coneharvesters.com>
Thu, 12 Jul 2012 17:11:30 +0000
(10:11 -0700)
This can cause a one-byte NUL write past the end of the buffer.
This fixes CVE-2012-2840
libexif/exif-utils.c
patch
|
blob
|
history
diff --git
a/libexif/exif-utils.c
b/libexif/exif-utils.c
index
22ee29f
..
f375de1
100644
(file)
--- a/
libexif/exif-utils.c
+++ b/
libexif/exif-utils.c
@@
-239,7
+239,7
@@
exif_convert_utf16_to_utf8 (char *out, const unsigned short *in, int maxlen)
break;
}
} else {
- if (maxlen >
2
) {
+ if (maxlen >
3
) {
*out++ = ((*in >> 12) & 0x0F) | 0xE0;
*out++ = ((*in >> 6) & 0x3F) | 0x80;
*out++ = (*in++ & 0x3F) | 0x80;