[libexif-cvs] libexif/libexif/olympus exif-mnote-data-olympus.c, 1.39, 1.40

[Lutz M. <lu...@us...>]

Update of /cvsroot/libexif/libexif/libexif/olympus
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv31085/libexif/olympus

Modified Files:
	exif-mnote-data-olympus.c 
Log Message:
2009-03-21  Lutz Mueller <lu...@us...>

	Meder Kydyraliev <me...@gm...> suggested to add some sanity
	checks:

	* libexif/exif-data.c (exif_data_load_entry),
	  (exif_data_load_data_thumbnail)
	* libexif/canon/exif_mnote-data-canon.c
          (exif_mnote_data_canon_load)
	* libexif/fuji/exif-mnote-data-fuji.c
	  (exif_mnote_data_fuji_load)
	* libexif/olympus/exif-mnote-data-olympus.c
          (exif_mnote_data_olympus_load)
	* libexif/pentax/exif-mnote-data-pentax.c
	  (exif_mnote_data_pentax_load)


Index: exif-mnote-data-olympus.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/olympus/exif-mnote-data-olympus.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -p -d -r1.39 -r1.40
--- exif-mnote-data-olympus.c	14 Jan 2009 07:22:14 -0000	1.39
+++ exif-mnote-data-olympus.c	21 Mar 2009 22:03:09 -0000	1.40
@@ -380,7 +380,7 @@ exif_mnote_data_olympus_load (ExifMnoteD
 	/* Parse all c entries, storing ones that are successfully parsed */
 	for (i = c, tcount = 0, o = o2; i; --i, o += 12) {
 		size_t dataofs;
-	    if (o + 12 > buf_size) {
+	    if ((o + 12 < o) || (o + 12 < 12) || (o + 12 > buf_size)) {
 			exif_log (en->log, EXIF_LOG_CODE_CORRUPT_DATA,
 				  "ExifMnoteOlympus", "Short MakerNote");
 			break;
@@ -427,11 +427,12 @@ exif_mnote_data_olympus_load (ExifMnoteD
 			    }
 #endif
 			}
-			if (dataofs + s > buf_size)  {
+			if ((dataofs + s < dataofs) || (dataofs + s < s) || 
+			    (dataofs + s > buf_size)) {
 				exif_log (en->log, EXIF_LOG_CODE_DEBUG,
 					  "ExifMnoteOlympus",
 					  "Tag data past end of buffer (%u > %u)",
-					  dataofs+s, buf_size);
+					  dataofs + s, buf_size);
 				continue;
 			}