From: Dan Fandrich <dan@coneharvesters.com>
Date: Wed, 14 Jan 2009 06:31:18 +0000 (-0800)
Subject: Log a message when corrupted MakerNotes are found for Canon and Fuji
X-Git-Tag: libexif-0_6_21-release~168
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=febae387dafed8eba014b83fd78a1e9e56ac062b;p=platform%2Fupstream%2Flibexif.git

Log a message when corrupted MakerNotes are found for Canon and Fuji
---

diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index 2783d15..8d1b5f5 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -207,11 +207,16 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 	/* Parse the entries */
 	for (i = 0; i < c; i++) {
 		o = 6 + 2 + n->offset + 12 * i;
-	  if (o + 8 > buf_size) return;
+		if (o + 8 > buf_size) {
+				exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+					  "ExifMnoteCanon",
+					  "Short MakerNote");
+				return;
+	        }
 
 		t = exif_mem_realloc (ne->mem, n->entries,
 				sizeof (MnoteCanonEntry) * (i + 1));
-		if (!t) return;
+		if (!t) return; /* out of memory */
 		n->count = i + 1;
 		n->entries = t;
 		memset (&n->entries[i], 0, sizeof (MnoteCanonEntry));
@@ -220,19 +225,34 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 	  n->entries[i].components = exif_get_long (buf + o + 4, n->order);
 	  n->entries[i].order      = n->order;
 
+	  exif_log (ne->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteCanon",
+				"Loading entry 0x%x ('%s')...", n->entries[i].tag,
+                mnote_canon_tag_get_name (n->entries[i].tag));
+
 	  /*
 	   * Size? If bigger than 4 bytes, the actual data is not
 	   * in the entry but somewhere else (offset).
 	   */
 	  s = exif_format_get_size (n->entries[i].format) * n->entries[i].components;
-		if (!s) return;
+		if (!s) {
+				exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+					  "ExifMnoteCanon",
+					  "Invalid zero-length tag size");
+				return;
+	    }
 		o += 8;
 		if (s > 4) o = exif_get_long (buf + o, n->order) + 6;
-		if (o + s > buf_size) return;
+		if (o + s > buf_size) {
+			exif_log (ne->log, EXIF_LOG_CODE_CORRUPT_DATA,
+					  "ExifMnoteCanon",
+					  "Tag data past end of buffer (%u > %u)",
+					  o+s, buf_size);
+			return;
+	     }
 
 		/* Sanity check */
 		n->entries[i].data = exif_mem_alloc (ne->mem, sizeof (char) * s);
-		if (!n->entries[i].data) return;
+		if (!n->entries[i].data) return; /* out of memory */
 		n->entries[i].size = s;
 		memcpy (n->entries[i].data, buf + o, s);
 	}
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index b7b311b..9a5677c 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -167,7 +167,11 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
 	/* Parse the entries */
 	for (i = 0; i < c; i++) {
 		o = datao + 12 * i;
-		if (datao + 12 > buf_size) return;
+		if (datao + 12 > buf_size) {
+			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+				  "ExifMnoteDataFuji", "Short MakerNote");
+			return;
+		}
 
 		t = exif_mem_realloc (en->mem, n->entries,
 				sizeof (MnoteFujiEntry) * (i + 1));
@@ -188,7 +192,12 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
 		if (!s) return;
 		o += 8;
 		if (s > 4) o = exif_get_long (buf + o, n->order) + 6 + n->offset;
-		if (o + s > buf_size) return;
+		if (o + s > buf_size) {
+			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataFuji",
+					  "Tag data past end of buffer (%u > %u)",
+					  o+s, buf_size);
+			return;
+		}
 
 		/* Sanity check */
 		n->entries[i].data = exif_mem_alloc (en->mem, s);