On Sat, Dec 15, 2007 at 07:56:36AM +0000, Lutz MXller wrote:
> Update of /cvsroot/libexif/libexif/libexif
> In directory sc8-pr-cvs6.sourceforge.net:/tmp/cvs-serv27983/libexif
>
> Modified Files:
> exif-data.c
> Log Message:
> 2007-12-15 Lutz Mueller <lu...@us...>
>
> * po/*.po: Updated po-files.
> * libexif/exif-data.c: (exif_data_load_data_thumbnail) guard against
> negative size (in addition to negative offset), too.
>
>
> Index: exif-data.c
> ===================================================================
> RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
> retrieving revision 1.103
> retrieving revision 1.104
> diff -u -p -d -r1.103 -r1.104
> --- exif-data.c 14 Dec 2007 20:32:35 -0000 1.103
> +++ exif-data.c 15 Dec 2007 07:56:34 -0000 1.104
> @@ -299,7 +299,7 @@ static void
> exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
> unsigned int ds, ExifLong offset, ExifLong size)
> {
> - if ((ds < offset + size) || (offset < 0) || (offset > ds)) {
> + if ((ds < offset + size) || (size <= 0) || (offset <= 0)) {
ExifLong is unsigned int. size or offset cannot become < 0,
so this change is very likely incorrect.
Perhaps use (size > UINT_MAX-offset) this avoids those pesky overflows.
Ciao, Marcus
|
