If too large an indent is given, a local buffer will overflow. This
can't happen when called through exif_data_dump (which is likely the
most common case) and since they are documented as being for diagnostic
purposes only, this shouldn't pose too big a security risk in the wild.
Reported-by: jonnygrant.
(not exploitable by malicious data)
exif_content_dump (ExifContent *content, unsigned int indent)
{
char buf[1024];
- unsigned int i;
-
- for (i = 0; i < 2 * indent; i++)
- buf[i] = ' ';
- buf[i] = '\0';
+ unsigned int i, l;
if (!content)
return;
+ l = MIN(sizeof(buf)-1, 2*indent);
+ memset(buf, ' ', l);
+ buf[l] = '\0';
+
printf ("%sDumping exif content (%u entries)...\n", buf,
content->count);
for (i = 0; i < content->count; i++)
{
char buf[1024];
char value[1024];
- unsigned int i;
-
- for (i = 0; i < 2 * indent; i++)
- buf[i] = ' ';
- buf[i] = '\0';
+ unsigned int l;
if (!e)
return;
+ l = MIN(sizeof(buf)-1, 2*indent);
+ memset(buf, ' ', l);
+ buf[l] = '\0';
+
printf ("%sTag: 0x%x ('%s')\n", buf, e->tag,
exif_tag_get_name_in_ifd (e->tag, exif_entry_get_ifd(e)));
printf ("%s Format: %i ('%s')\n", buf, e->format,