packages/libexif
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
libexif/libexif-bugfix-large-loop-in-exif_loader_get_data.patch

29 lines
1.0 KiB
Diff
Raw Permalink Normal View History

fix large loop in func exif_loader_get_data
2020-08-08 12:35:18 +08:00
From cdf1e32cb71c22c3df5d806d74384b3189008a47 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Sun, 17 May 2020 10:20:15 +0200
Subject: [PATCH] handle illegal offsets earlier
Bail out if an offset runs over the datasize.
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2
---
libexif/exif-data.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 65ae93d..8b280d3 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
o = exif_get_long (d + offset + 12 * i + 8,
data->priv->order);
+ if (o >= ds) {
+ exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
+ "Tag data past end of buffer (%u > %u)", offset+2, ds);
+ return;
+ }
/* FIXME: IFD_POINTER tags aren't marked as being in a
* specific IFD, so exif_tag_get_name_in_ifd won't work
*/
Reference in New Issue Copy Permalink