fixes some (not all) buffer overreads during decoding pentax makernote entries.

author Marcus Meissner <marcus@jet.franken.de>

Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)

committer Dan Fandrich <dan@coneharvesters.com>

Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)
author Marcus Meissner <marcus@jet.franken.de>
Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)
committer Dan Fandrich <dan@coneharvesters.com>
Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c

index d03d159..ea0429a 100644 (file)
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
                 case EXIF_FORMAT_SHORT:
                   {
                         const unsigned char *data = entry->data;
-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
                         for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 2)
+                                       break;
                                 vs = exif_get_short (data, entry->order);
                                 snprintf (val+len, maxlen-len, "%i ", vs);
                                 len = strlen(val);
                                 data += 2;
+                               sizeleft -= 2;
                         }
                   }
                   break;
                 case EXIF_FORMAT_LONG:
                   {
                         const unsigned char *data = entry->data;
-                       size_t k, len = strlen(val);
+                       size_t k, len = strlen(val), sizeleft;
+
+                       sizeleft = entry->size;
                         for(k=0; k<entry->components; k++) {
+                               if (sizeleft < 4)
+                                       break;
                                 vl = exif_get_long (data, entry->order);
                                 snprintf (val+len, maxlen-len, "%li", (long int) vl);
                                 len = strlen(val);
                                 data += 4;
+                               sizeleft -= 4;
                         }
                   }
                   break;
@@ -455,5 +465,5 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
                 break;
         }
  
-       return (val);
+       return val;
  }
author	Marcus Meissner <marcus@jet.franken.de>
	Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)
committer	Dan Fandrich <dan@coneharvesters.com>
	Tue, 25 Jul 2017 21:44:44 +0000 (23:44 +0200)