+2008-10-02 Niek Bergboer <niek@google.com>
+
+ * libexif/exif-data.c libexif/canon/exif-mnote-data-canon.c
+ libexif/fuji/exif-mnote-data-fuji.c
+ libexif/olympus/exif-mnote-data-olympus.c
+ libexif/pentax/exif-mnote-data-pentax.c:
+ Replaced unsigned int by size_t in some places
+ Added some checks on sizes, makernotes shouldn't
+ be larger than 64kb.
+
2008-09-04 Dan Fandrich <dan@coneharvesters.com>
- po/nl.po: Updated Dutch translation by Erwin Poeze
+ * po/nl.po: Updated Dutch translation by Erwin Poeze
2008-07-25 Marcus Meissner <marcus@jet.franken.de>
unsigned char **buf, unsigned int *buf_size)
{
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
- unsigned int i, o, s, doff;
+ size_t i, o, s, doff;
unsigned char *t;
- unsigned int ts;
+ size_t ts;
if (!n || !buf || !buf_size) return;
o += 8;
s = exif_format_get_size (n->entries[i].format) *
n->entries[i].components;
+ if (s > 65536) {
+ /* Corrupt data: EXIF data size is limited to the
+ * maximum size of a JPEG segment (64 kb).
+ */
+ continue;
+ }
if (s > 4) {
ts = *buf_size + s;
{
ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
ExifShort c;
- unsigned int i, o, s;
+ size_t i, o, s;
MnoteCanonEntry *t;
if (!n || !buf || !buf_size || (buf_size < 6 + n->offset + 2)) return;
} else
doff = offset + 8;
- /* Write the data. Fill unneeded bytes with 0. */
- memcpy (*d + 6 + doff, e->data, s);
+ /* Write the data. Fill unneeded bytes with 0. Do not crash with
+ * e->data is NULL */
+ if (e->data) {
+ memcpy (*d + 6 + doff, e->data, s);
+ } else {
+ memset (*d + 6 + doff, 0, s);
+ }
if (s < 4)
memset (*d + 6 + doff + s, 0, (4 - s));
}
(ExifShort) (ifd->count + n_ptr + n_thumb));
offset += 2;
- /* Save each entry */
+ /*
+ * Save each entry. Make sure that no memcpys from NULL pointers are
+ * performed
+ */
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
"Saving %i entries (IFD '%s', offset: %i)...",
ifd->count, exif_ifd_get_name (i), offset);
- for (j = 0; j < ifd->count; j++)
- exif_data_save_data_entry (data, ifd->entries[j], d, ds,
- offset + 12 * j);
+ for (j = 0; j < ifd->count; j++) {
+ if (ifd->entries[j]) {
+ exif_data_save_data_entry (data, ifd->entries[j], d, ds,
+ offset + 12 * j);
+ }
+ }
offset += 12 * ifd->count;
unsigned int *buf_size)
{
ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) ne;
- unsigned int i, o, s, doff;
+ size_t i, o, s, doff;
unsigned char *t;
- unsigned int ts;
+ size_t ts;
if (!n || !buf || !buf_size) return;
o += 8;
s = exif_format_get_size (n->entries[i].format) *
n->entries[i].components;
+ if (s > 65536) {
+ /* Corrupt data: EXIF data size is limited to the
+ * maximum size of a JPEG segment (64 kb).
+ */
+ continue;
+ }
if (s > 4) {
ts = *buf_size + s;
{
ExifMnoteDataFuji *n = (ExifMnoteDataFuji*) en;
ExifLong c;
- unsigned int i, o, s, datao = 6 + n->offset;
+ size_t i, o, s, datao = 6 + n->offset;
MnoteFujiEntry *t;
if (!n || !buf || !buf_size || (buf_size < datao + 12)) return;
unsigned char **buf, unsigned int *buf_size)
{
ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) ne;
- unsigned int i, o, s, doff, base = 0, o2 = 6 + 2;
- int datao = 0;
+ size_t i, o, s, doff, base = 0, o2 = 6 + 2;
+ size_t datao = 0;
unsigned char *t;
- unsigned int ts;
+ size_t ts;
if (!n || !buf || !buf_size) return;
o += 8;
s = exif_format_get_size (n->entries[i].format) *
n->entries[i].components;
+ if (s > 65536) {
+ /* Corrupt data: EXIF data size is limited to the
+ * maximum size of a JPEG segment (64 kb).
+ */
+ continue;
+ }
if (s > 4) {
doff = *buf_size;
ts = *buf_size + s;
{
ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) en;
ExifShort c;
- unsigned int i, s, o, o2 = 0, datao = 6, base = 0;
+ size_t i, s, o, o2 = 0, datao = 6, base = 0;
if (!n || !buf) return;
const unsigned char *buf, unsigned int buf_size)
{
ExifMnoteDataPentax *n = (ExifMnoteDataPentax *) en;
- unsigned int i, o, s, datao = 6 + n->offset, base = 0;
+ size_t i, o, s, datao = 6 + n->offset, base = 0;
ExifShort c;
/* Number of entries */
*/
s = exif_format_get_size (n->entries[i].format) *
n->entries[i].components;
+ if (s > 65536) {
+ /* Corrupt data: EXIF data size is limited to the
+ * maximum size of a JPEG segment (64 kb).
+ */
+ continue;
+ }
if (!s) return;
o += 8;
if (s > 4) o = exif_get_long (buf + o, n->order) + 6;