[libexif-cvs] libexif/libexif exif-entry.c,1.135,1.136

[Dan F. <dfa...@us...>]

Update of /cvsroot/libexif/libexif/libexif
In directory ddv4jf1.ch3.sourceforge.com:/tmp/cvs-serv9598/libexif

Modified Files:
	exif-entry.c 
Log Message:
Fixed a heap buffer overflow during tag format conversion.


Index: exif-entry.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v
retrieving revision 1.135
retrieving revision 1.136
diff -u -p -d -r1.135 -r1.136
--- exif-entry.c	27 Oct 2009 06:06:11 -0000	1.135
+++ exif-entry.c	13 Nov 2009 06:05:36 -0000	1.136
@@ -195,7 +195,8 @@ exif_get_short_convert (const unsigned c
 void
 exif_entry_fix (ExifEntry *e)
 {
-	unsigned int i;
+	unsigned int i, newsize;
+	unsigned char *newdata;
 	ExifByteOrder o;
 	ExifRational r;
 	ExifSRational sr;
@@ -237,20 +238,30 @@ exif_entry_fix (ExifEntry *e)
 							exif_entry_get_ifd(e)),
 				exif_format_get_name (e->format),
 				exif_format_get_name (EXIF_FORMAT_SHORT));
+
 			o = exif_data_get_byte_order (e->parent->parent);
+			newsize = e->components * exif_format_get_size (EXIF_FORMAT_SHORT);
+			newdata = exif_entry_alloc (e, newsize);
+			if (!newdata) {
+				exif_entry_log (e, EXIF_LOG_CODE_NO_MEMORY,
+					"Could not allocate %lu byte(s).", (unsigned long)newsize);
+				break;
+			}
+
 			for (i = 0; i < e->components; i++)
 				exif_set_short (
-					e->data + i *
+					newdata + i *
 					exif_format_get_size (
 					 EXIF_FORMAT_SHORT), o,
 					 exif_get_short_convert (
 					  e->data + i *
 					  exif_format_get_size (e->format),
 					  e->format, o));
+
+			exif_mem_free (e->priv->mem, e->data);
+			e->data = newdata;
+			e->size = newsize;
 			e->format = EXIF_FORMAT_SHORT;
-			e->size = e->components *
-				exif_format_get_size (e->format);
-			e->data = exif_entry_realloc (e, e->data, e->size);
 			break;
 		case EXIF_FORMAT_SHORT:
 			/* No conversion necessary */