From c26d1287382920361d4e7a06e621c93fb77097ab Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 1 Feb 2008 15:14:50 -0800 Subject: [PATCH] Fixed an error checking weakness reported in bug #1536244. It looks like that particular bug was actually solved earlier, but this doesn't hurt. --- NEWS | 2 +- libexif/exif-data.c | 7 ++++++- libexif/exif-loader.c | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index c54ea61..7879fab 100644 --- a/NEWS +++ b/NEWS @@ -2,7 +2,7 @@ libexif-0.6.16.2: * Updated translations: cs, de, pl, sk, vi * New translations: nl, se, en_CA * Enabled sv translation by default - * Bug fixes: #1773810, #1774626, CVE-2007-6351, CVE-2007-6352 + * Bug fixes: #1773810, #1774626, #1536244, CVE-2007-6351, CVE-2007-6352 * Enhanced support of Canon and Olympus makernotes * Added support for Fuji and Sanyo makernotes * Added support for the NO_VERBOSE_TAG_STRINGS and NO_VERBOSE_TAG_DATA diff --git a/libexif/exif-data.c b/libexif/exif-data.c index 25c80fc..eb007cb 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -916,14 +916,19 @@ exif_data_load_data (ExifData *data, const unsigned char *d_orig, void exif_data_save_data (ExifData *data, unsigned char **d, unsigned int *ds) { + if (ds) + *ds = 0; /* This means something went wrong */ + if (!data || !d || !ds) return; /* Header */ *ds = 14; *d = exif_data_alloc (data, *ds); - if (!*d) + if (!*d) { + *ds = 0; return; + } memcpy (*d, ExifHeader, 6); /* Order (offset 6) */ diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c index a8b8170..8ad2336 100644 --- a/libexif/exif-loader.c +++ b/libexif/exif-loader.c @@ -381,7 +381,7 @@ exif_loader_get_data (ExifLoader *loader) { ExifData *ed; - if (!loader) + if (!loader || (loader->data_format == EL_DATA_FORMAT_UNKNOWN)) return NULL; ed = exif_data_new_mem (loader->mem); -- 2.7.4