From a4bc43d9c735ee5fc894c50ee5544dcc06d8435c Mon Sep 17 00:00:00 2001 From: Hans Ulrich Niedermann Date: Tue, 12 Jun 2007 17:50:16 +0200 Subject: [PATCH] libexif-0.6.16 (fixes CVE-2006-4168) --- NEWS | 3 ++- configure.ac | 2 +- libexif/exif-data.c | 11 ++++++++--- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index e25ae7d..ee16fd3 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,5 @@ -libexif-0.6.16: +libexif-0.6.16 (2007-06-12): + * Security fix: CVE-2006-4168 aka IDEF1514. * Updated translations: cz, pl, vi diff --git a/configure.ac b/configure.ac index f283469..8da2617 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ(2.59) -AC_INIT([EXIF library], [0.6.15], [libexif-devel@lists.sourceforge.net], [libexif]) +AC_INIT([EXIF library], [0.6.16], [libexif-devel@lists.sourceforge.net], [libexif]) AC_CONFIG_SRCDIR([libexif/exif-data.h]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([auto-m4]) diff --git a/libexif/exif-data.c b/libexif/exif-data.c index b20e396..a8029c0 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -167,13 +167,18 @@ exif_data_load_data_entry (ExifData *data, ExifEntry *entry, "Loading entry 0x%x ('%s')...", entry->tag, exif_tag_get_name (entry->tag)); + /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff } + * -> { 0x000000000 .. 0x7fffffff8 } */ + s = exif_format_get_size(entry->format) * entry->components; + if (s < entry->components) { + return 0; + } + if (0 == s) + return 0; /* * Size? If bigger than 4 bytes, the actual data is not * in the entry but somewhere else (offset). */ - s = exif_format_get_size (entry->format) * entry->components; - if (!s) - return 0; if (s > 4) doff = exif_get_long (d + offset + 8, data->priv->order); else -- 2.7.4