Update of /cvsroot/libexif/libexif/libexif/olympus
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv31085/libexif/olympus
Modified Files:
exif-mnote-data-olympus.c
Log Message:
2009-03-21 Lutz Mueller <lu...@us...>
Meder Kydyraliev <me...@gm...> suggested to add some sanity
checks:
* libexif/exif-data.c (exif_data_load_entry),
(exif_data_load_data_thumbnail)
* libexif/canon/exif_mnote-data-canon.c
(exif_mnote_data_canon_load)
* libexif/fuji/exif-mnote-data-fuji.c
(exif_mnote_data_fuji_load)
* libexif/olympus/exif-mnote-data-olympus.c
(exif_mnote_data_olympus_load)
* libexif/pentax/exif-mnote-data-pentax.c
(exif_mnote_data_pentax_load)
Index: exif-mnote-data-olympus.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/olympus/exif-mnote-data-olympus.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -p -d -r1.39 -r1.40
--- exif-mnote-data-olympus.c 14 Jan 2009 07:22:14 -0000 1.39
+++ exif-mnote-data-olympus.c 21 Mar 2009 22:03:09 -0000 1.40
@@ -380,7 +380,7 @@ exif_mnote_data_olympus_load (ExifMnoteD
/* Parse all c entries, storing ones that are successfully parsed */
for (i = c, tcount = 0, o = o2; i; --i, o += 12) {
size_t dataofs;
- if (o + 12 > buf_size) {
+ if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
"ExifMnoteOlympus", "Short MakerNote");
break;
@@ -427,11 +427,12 @@ exif_mnote_data_olympus_load (ExifMnoteD
}
#endif
}
- if (dataofs + s > buf_size) {
+ if ((dataofs + s < dataofs) || (dataofs + s < s) ||
+ (dataofs + s > buf_size)) {
exif_log (en->log, EXIF_LOG_CODE_DEBUG,
"ExifMnoteOlympus",
"Tag data past end of buffer (%u > %u)",
- dataofs+s, buf_size);
+ dataofs + s, buf_size);
continue;
}
|
