projects / platform / upstream / libexif.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 28d48ae)
Fixed an off-by-one error in exif_convert_utf16_to_utf8()
authorDan Fandrich <dan@coneharvesters.com>
Thu, 12 Jul 2012 17:11:30 +0000 (10:11 -0700)
committerDan Fandrich <dan@coneharvesters.com>
Thu, 12 Jul 2012 17:11:30 +0000 (10:11 -0700)
This can cause a one-byte NUL write past the end of the buffer.
This fixes CVE-2012-2840

libexif/exif-utils.c patch | blob | history

diff --git a/libexif/exif-utils.c b/libexif/exif-utils.c
index 22ee29f..f375de1 100644 (file)
--- a/libexif/exif-utils.c
+++ b/libexif/exif-utils.c
@@ -239,7 +239,7 @@ exif_convert_utf16_to_utf8 (char *out, const unsigned short *in, int maxlen)
                                break;
                        }
                } else {
-                       if (maxlen > 2) {
+                       if (maxlen > 3) {
                                *out++ = ((*in >> 12) & 0x0F) | 0xE0;
                                *out++ = ((*in >> 6) & 0x3F) | 0x80;
                                *out++ = (*in++ & 0x3F) | 0x80;
Domain: Multimedia / Media Camera;