[libexif-cvs] libexif/libexif exif-data.c,1.118,1.119

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/libexif/libexif/libexif
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv31085/libexif

Modified Files:
	exif-data.c 
Log Message:
2009-03-21  Lutz Mueller <lu...@us...>

	Meder Kydyraliev <me...@gm...> suggested to add some sanity
	checks:

	* libexif/exif-data.c (exif_data_load_entry),
	  (exif_data_load_data_thumbnail)
	* libexif/canon/exif_mnote-data-canon.c
          (exif_mnote_data_canon_load)
	* libexif/fuji/exif-mnote-data-fuji.c
	  (exif_mnote_data_fuji_load)
	* libexif/olympus/exif-mnote-data-olympus.c
          (exif_mnote_data_olympus_load)
	* libexif/pentax/exif-mnote-data-pentax.c
	  (exif_mnote_data_pentax_load)


Index: exif-data.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -p -d -r1.118 -r1.119

--- exif-data.c	22 Jan 2009 07:27:57 -0000	1.118
+++ exif-data.c	21 Mar 2009 22:03:09 -0000	1.119
@@ -196,9 +196,7 @@ exif_data_load_data_entry (ExifData *dat
 		doff = offset + 8;
 
 	/* Sanity checks */
-	if ((doff + s < doff) || (doff + s < s))
-		return 0;
-	if (size < doff + s)
+	if ((doff + s < doff) || (doff + s < s) || (doff + s > size))
 		return 0;
 
 	entry->data = exif_data_alloc (data, s);
@@ -309,21 +307,24 @@ exif_data_save_data_entry (ExifData *dat
 
 static void
 exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
-			       unsigned int ds, ExifLong offset, ExifLong size)
+			       unsigned int ds, ExifLong o, ExifLong s)
 {
-	if ((ds < offset + size) || (offset > ds)) {
+	/* Sanity checks */
+	if ((o + s < o) || (o + s < s) || (o + s > ds) || (o > ds)) {
 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
 			  "Bogus thumbnail offset (%u) or size (%u).",
-			  offset, size);
+			  o, s);
 		return;
 	}
+
 	if (data->data) 
 		exif_mem_free (data->priv->mem, data->data);
-	data->size = size;
-	data->data = exif_data_alloc (data, data->size);
-	if (!data->data) 
+	if (!(data->data = exif_data_alloc (data, s))) {
+		data->size = 0;
 		return;
-	memcpy (data->data, d + offset, data->size);
+	}
+	data->size = s;
+	memcpy (data->data, d + o, s);
 }
 
 #undef CHECK_REC



