2005-07-02 Lutz Mueller <lutz@users.sourceforge.net>

	* libexif/exif-data.c: Prevent infinite recursions (#1196787).

diff --git a/ChangeLog b/ChangeLog
index bc8c9d8..fed5e08 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2005-07-02  Lutz Mueller <lutz@users.sourceforge.net>
+
+       * libexif/exif-data.c: Prevent infinite recursions (#1196787).
+
 2005-06-19  Hubert Figuiere  <hfiguiere@teaser.fr>
 
        * test/Makefile.am (check_PROGRAMS): added check for make check

diff --git a/NEWS b/NEWS
index 4feb16a..6d6e7fd 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 New in CVS HEAD since 0.6.12 (2005-03-13):
 
-  * Bug fixes: #803191, #1051994, #1054321, #1054323
+  * Bug fixes: #803191, #1051994, #1054321, #1054323, #1196787
   
   * For pkg-config users, force usage of #include <libexif/exif-*.h>
     (disable #include <exif-.h>)

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 07e6293..c765919 100644 (file)
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -300,7 +300,7 @@ if (data->ifd[(i)]->count) {                                \
 static void
 exif_data_load_data_content (ExifData *data, ExifIfd ifd,
                             const unsigned char *d,
-                            unsigned int ds, unsigned int offset)
+                            unsigned int ds, unsigned int offset, unsigned int l)
 {
        ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
        ExifShort n;
@@ -311,6 +311,12 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
        if (!data || !data->priv) return;
        if ((ifd < 0) || (ifd >= EXIF_IFD_COUNT)) return;
 
+       if (l > 150) {
+               exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+                               "Deep recursion detected!");
+               return;
+       }
+
        /* Read the number of entries */
        if (offset >= ds - 1) return;
        n = exif_get_short (d + offset, data->priv->order);
@@ -335,15 +341,15 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
                        switch (tag) {
                        case EXIF_TAG_EXIF_IFD_POINTER:
                                CHECK_REC (EXIF_IFD_EXIF);
-                               exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o);
+                               exif_data_load_data_content (data, EXIF_IFD_EXIF, d, ds, o, l + 1);
                                break;
                        case EXIF_TAG_GPS_INFO_IFD_POINTER:
                                CHECK_REC (EXIF_IFD_GPS);
-                               exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o);
+                               exif_data_load_data_content (data, EXIF_IFD_GPS, d, ds, o, l + 1);
                                break;
                        case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
                                CHECK_REC (EXIF_IFD_INTEROPERABILITY);
-                               exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o);
+                               exif_data_load_data_content (data, EXIF_IFD_INTEROPERABILITY, d, ds, o, l + 1);
                                break;
                        case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
                                thumbnail_offset = o;
@@ -782,7 +788,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
                  "IFD 0 at %i.", (int) offset);
 
        /* Parse the actual exif data (usually offset 14 from start) */
-       exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset);
+       exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset, 0);
 
        /* IFD 1 offset */
        if (offset + 6 + 2 > ds) {
@@ -804,7 +810,7 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig,
                        return;
                }
 
-               exif_data_load_data_content (data, EXIF_IFD_1, d + 6, ds - 6, offset);
+               exif_data_load_data_content (data, EXIF_IFD_1, d + 6, ds - 6, offset, 0);
        }
 
        /*