projects / platform / upstream / libexif.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3454046)
handle illegal offsets earlier
authorMarcus Meissner <marcus@jet.franken.de>
Sun, 17 May 2020 08:20:15 +0000 (10:20 +0200)
committerMarcus Meissner <marcus@jet.franken.de>
Sun, 17 May 2020 08:20:15 +0000 (10:20 +0200)
Bail out if an offset runs over the datasize.

fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2

libexif/exif-data.c patch | blob | history

diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 65ae93d..8b280d3 100644 (file)
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
                case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
                        o = exif_get_long (d + offset + 12 * i + 8,
                                           data->priv->order);
+                       if (o >= ds) {
+                               exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+                                         "Tag data past end of buffer (%u > %u)", offset+2, ds);
+                               return;
+                       }
                        /* FIXME: IFD_POINTER tags aren't marked as being in a
                         * specific IFD, so exif_tag_get_name_in_ifd won't work
                         */
Domain: Multimedia / Media Camera;