From edac0f977269d5ced5bfa4fe9607c8dfb685daa8 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Thu, 2 Oct 2008 08:15:50 +0200
Subject: [PATCH] Replaced unsigned int by size_t in some places Added some
 checks on sizes, makernotes shouldn't be larger than 64kb.

---
 ChangeLog                                 | 12 +++++++++++-
 libexif/canon/exif-mnote-data-canon.c     | 12 +++++++++---
 libexif/exif-data.c                       | 23 +++++++++++++++++------
 libexif/fuji/exif-mnote-data-fuji.c       | 12 +++++++++---
 libexif/olympus/exif-mnote-data-olympus.c | 14 ++++++++++----
 libexif/pentax/exif-mnote-data-pentax.c   |  8 +++++++-
 6 files changed, 63 insertions(+), 18 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 7cfd419..01c0545 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,16 @@
+2008-10-02  Niek Bergboer <niek@google.com>
+
+	* libexif/exif-data.c libexif/canon/exif-mnote-data-canon.c
+	  libexif/fuji/exif-mnote-data-fuji.c
+	  libexif/olympus/exif-mnote-data-olympus.c
+	  libexif/pentax/exif-mnote-data-pentax.c:
+	  Replaced unsigned int by size_t in some places
+	  Added some checks on sizes, makernotes shouldn't
+	  be larger than 64kb.
+
 2008-09-04  Dan Fandrich <dan@coneharvesters.com>
 
-	po/nl.po: Updated Dutch translation by Erwin Poeze
+	* po/nl.po: Updated Dutch translation by Erwin Poeze
 
 2008-07-25  Marcus Meissner  <marcus@jet.franken.de>
 
diff --git a/libexif/canon/exif-mnote-data-canon.c b/libexif/canon/exif-mnote-data-canon.c
index a1ceb6b..2783d15 100644
--- a/libexif/canon/exif-mnote-data-canon.c
+++ b/libexif/canon/exif-mnote-data-canon.c
@@ -118,9 +118,9 @@ exif_mnote_data_canon_save (ExifMnoteData *ne,
 	unsigned char **buf, unsigned int *buf_size)
 {
 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
-	unsigned int i, o, s, doff;
+	size_t i, o, s, doff;
 	unsigned char *t;
-	unsigned int ts;
+	size_t ts;
 
 	if (!n || !buf || !buf_size) return;
 
@@ -145,6 +145,12 @@ exif_mnote_data_canon_save (ExifMnoteData *ne,
 		o += 8;
 		s = exif_format_get_size (n->entries[i].format) *
 						n->entries[i].components;
+		if (s > 65536) {
+			/* Corrupt data: EXIF data size is limited to the
+			 * maximum size of a JPEG segment (64 kb).
+			 */
+			continue;
+		}
 		if (s > 4) {
 			ts = *buf_size + s;
 
@@ -189,7 +195,7 @@ exif_mnote_data_canon_load (ExifMnoteData *ne,
 {
 	ExifMnoteDataCanon *n = (ExifMnoteDataCanon *) ne;
 	ExifShort c;
-	unsigned int i, o, s;
+	size_t i, o, s;
 	MnoteCanonEntry *t;
 
 	if (!n || !buf || !buf_size || (buf_size < 6 + n->offset + 2)) return;
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 2bbbfda..314fd8b 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -293,8 +293,13 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 	} else
 		doff = offset + 8;
 
-	/* Write the data. Fill unneeded bytes with 0. */
-	memcpy (*d + 6 + doff, e->data, s);
+	/* Write the data. Fill unneeded bytes with 0. Do not crash with
+	 * e->data is NULL */
+	if (e->data) {
+		memcpy (*d + 6 + doff, e->data, s);
+	} else {
+		memset (*d + 6 + doff, 0, s);
+	}
 	if (s < 4) 
 		memset (*d + 6 + doff + s, 0, (4 - s));
 }
@@ -540,13 +545,19 @@ exif_data_save_data_content (ExifData *data, ExifContent *ifd,
 			(ExifShort) (ifd->count + n_ptr + n_thumb));
 	offset += 2;
 
-	/* Save each entry */
+	/*
+	 * Save each entry. Make sure that no memcpys from NULL pointers are
+	 * performed
+	 */
 	exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
 		  "Saving %i entries (IFD '%s', offset: %i)...",
 		  ifd->count, exif_ifd_get_name (i), offset);
-	for (j = 0; j < ifd->count; j++)
-		exif_data_save_data_entry (data, ifd->entries[j], d, ds,
-			offset + 12 * j);
+	for (j = 0; j < ifd->count; j++) {
+		if (ifd->entries[j]) {
+			exif_data_save_data_entry (data, ifd->entries[j], d, ds,
+				offset + 12 * j);
+		}
+	}
 
 	offset += 12 * ifd->count;
 
diff --git a/libexif/fuji/exif-mnote-data-fuji.c b/libexif/fuji/exif-mnote-data-fuji.c
index 8c3b6f9..b7b311b 100644
--- a/libexif/fuji/exif-mnote-data-fuji.c
+++ b/libexif/fuji/exif-mnote-data-fuji.c
@@ -78,9 +78,9 @@ exif_mnote_data_fuji_save (ExifMnoteData *ne, unsigned char **buf,
 			   unsigned int *buf_size)
 {
 	ExifMnoteDataFuji *n = (ExifMnoteDataFuji *) ne;
-	unsigned int i, o, s, doff;
+	size_t i, o, s, doff;
 	unsigned char *t;
-	unsigned int ts;
+	size_t ts;
 
 	if (!n || !buf || !buf_size) return;
 
@@ -114,6 +114,12 @@ exif_mnote_data_fuji_save (ExifMnoteData *ne, unsigned char **buf,
 		o += 8;
 		s = exif_format_get_size (n->entries[i].format) *
 						n->entries[i].components;
+		if (s > 65536) {
+			/* Corrupt data: EXIF data size is limited to the
+			 * maximum size of a JPEG segment (64 kb).
+			 */
+			continue;
+		}
 		if (s > 4) {
 			ts = *buf_size + s;
 
@@ -146,7 +152,7 @@ exif_mnote_data_fuji_load (ExifMnoteData *en,
 {
 	ExifMnoteDataFuji *n = (ExifMnoteDataFuji*) en;
 	ExifLong c;
-	unsigned int i, o, s, datao = 6 + n->offset;
+	size_t i, o, s, datao = 6 + n->offset;
 	MnoteFujiEntry *t;
 
 	if (!n || !buf || !buf_size || (buf_size < datao + 12)) return;
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
index 6106707..dbb1cee 100644
--- a/libexif/olympus/exif-mnote-data-olympus.c
+++ b/libexif/olympus/exif-mnote-data-olympus.c
@@ -86,10 +86,10 @@ exif_mnote_data_olympus_save (ExifMnoteData *ne,
 		unsigned char **buf, unsigned int *buf_size)
 {
 	ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) ne;
-	unsigned int i, o, s, doff, base = 0, o2 = 6 + 2;
-	int datao = 0;
+	size_t i, o, s, doff, base = 0, o2 = 6 + 2;
+	size_t datao = 0;
 	unsigned char *t;
-	unsigned int ts;
+	size_t ts;
 
 	if (!n || !buf || !buf_size) return;
 
@@ -173,6 +173,12 @@ exif_mnote_data_olympus_save (ExifMnoteData *ne,
 		o += 8;
 		s = exif_format_get_size (n->entries[i].format) *
 						n->entries[i].components;
+		if (s > 65536) {
+			/* Corrupt data: EXIF data size is limited to the
+			 * maximum size of a JPEG segment (64 kb).
+			 */
+			continue;
+		}
 		if (s > 4) {
 			doff = *buf_size;
 			ts = *buf_size + s;
@@ -201,7 +207,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
 {
 	ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) en;
 	ExifShort c;
-	unsigned int i, s, o, o2 = 0, datao = 6, base = 0;
+	size_t i, s, o, o2 = 0, datao = 6, base = 0;
 
 	if (!n || !buf) return;
 
diff --git a/libexif/pentax/exif-mnote-data-pentax.c b/libexif/pentax/exif-mnote-data-pentax.c
index 8de8de3..0d17d62 100644
--- a/libexif/pentax/exif-mnote-data-pentax.c
+++ b/libexif/pentax/exif-mnote-data-pentax.c
@@ -73,7 +73,7 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
 		const unsigned char *buf, unsigned int buf_size)
 {
 	ExifMnoteDataPentax *n = (ExifMnoteDataPentax *) en;
-	unsigned int i, o, s, datao = 6 + n->offset, base = 0;
+	size_t i, o, s, datao = 6 + n->offset, base = 0;
 	ExifShort c;
 
 	/* Number of entries */
@@ -118,6 +118,12 @@ exif_mnote_data_pentax_load (ExifMnoteData *en,
 		 */
 		s = exif_format_get_size (n->entries[i].format) *
                                       n->entries[i].components;
+		if (s > 65536) {
+			/* Corrupt data: EXIF data size is limited to the
+			 * maximum size of a JPEG segment (64 kb). 
+			 */
+			continue;
+		}
 		if (!s) return;
 		o += 8;
 		if (s > 4) o = exif_get_long (buf + o, n->order) + 6;
-- 
2.7.4