[libexif-cvs] libexif/libexif/fuji exif-mnote-data-fuji.c,1.7,1.8

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/libexif/libexif/libexif/fuji
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv31085/libexif/fuji

Modified Files:
	exif-mnote-data-fuji.c 
Log Message:
2009-03-21  Lutz Mueller <lu...@us...>

	Meder Kydyraliev <me...@gm...> suggested to add some sanity
	checks:

	* libexif/exif-data.c (exif_data_load_entry),
	  (exif_data_load_data_thumbnail)
	* libexif/canon/exif_mnote-data-canon.c
          (exif_mnote_data_canon_load)
	* libexif/fuji/exif-mnote-data-fuji.c
	  (exif_mnote_data_fuji_load)
	* libexif/olympus/exif-mnote-data-olympus.c
          (exif_mnote_data_olympus_load)
	* libexif/pentax/exif-mnote-data-pentax.c
	  (exif_mnote_data_pentax_load)


Index: exif-mnote-data-fuji.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/fuji/exif-mnote-data-fuji.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -d -r1.7 -r1.8

--- exif-mnote-data-fuji.c	14 Jan 2009 06:31:18 -0000	1.7
+++ exif-mnote-data-fuji.c	21 Mar 2009 22:03:09 -0000	1.8
@@ -155,11 +155,15 @@ exif_mnote_data_fuji_load (ExifMnoteData
 	size_t i, o, s, datao = 6 + n->offset;
 	MnoteFujiEntry *t;
 
-	if (!n || !buf || !buf_size || (buf_size < datao + 12)) return;
+	if (!n || !buf || !buf_size || (datao + 12 < datao) ||
+	    (datao + 12 < 12) || (datao + 12 > buf_size))
+		return;
 
 	/* Read the number of entries and remove old ones. */
 	n->order = EXIF_BYTE_ORDER_INTEL;
 	datao += exif_get_long (buf + datao + 8, EXIF_BYTE_ORDER_INTEL);
+	if ((datao + 2 < datao) || (datao + 2 < 2))
+		return;
 	c = exif_get_short (buf + datao, EXIF_BYTE_ORDER_INTEL);
 	datao += 2;
 	exif_mnote_data_fuji_clear (n);
@@ -192,10 +196,10 @@ exif_mnote_data_fuji_load (ExifMnoteData
 		if (!s) return;
 		o += 8;
 		if (s > 4) o = exif_get_long (buf + o, n->order) + 6 + n->offset;
-		if (o + s > buf_size) {
-			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifMnoteDataFuji",
-					  "Tag data past end of buffer (%u > %u)",
-					  o+s, buf_size);
+		if ((o + s < o) || (o + s < s) || (o + s > buf_size)) {
+			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
+			          "ExifMnoteDataFuji", "Tag data past end of "
+				  "buffer (%u > %u)", o + s, buf_size);
 			return;
 		}
 



