libexif-0.6.16 (fixes CVE-2006-4168)

diff --git a/NEWS b/NEWS
index e25ae7d..ee16fd3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,5 @@
-libexif-0.6.16:
+libexif-0.6.16 (2007-06-12):
+  * Security fix: CVE-2006-4168 aka IDEF1514.
   * Updated translations: cz, pl, vi
 
 

diff --git a/configure.ac b/configure.ac
index f283469..8da2617 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ(2.59)
-AC_INIT([EXIF library], [0.6.15], [libexif-devel@lists.sourceforge.net], [libexif])
+AC_INIT([EXIF library], [0.6.16], [libexif-devel@lists.sourceforge.net], [libexif])
 AC_CONFIG_SRCDIR([libexif/exif-data.h])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([auto-m4])

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index b20e396..a8029c0 100644 (file)
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -167,13 +167,18 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry,
                  "Loading entry 0x%x ('%s')...", entry->tag,
                  exif_tag_get_name (entry->tag));
 
+       /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff } 
+        *   -> { 0x000000000 .. 0x7fffffff8 } */
+       s = exif_format_get_size(entry->format) * entry->components;
+       if (s < entry->components) {
+               return 0;
+       }
+       if (0 == s)
+               return 0;
        /*
         * Size? If bigger than 4 bytes, the actual data is not
         * in the entry but somewhere else (offset).
         */
-       s = exif_format_get_size (entry->format) * entry->components;
-       if (!s)
-               return 0;
        if (s > 4)
                doff = exif_get_long (d + offset + 8, data->priv->order);
        else