From: Marcus M. <ma...@je...> - 2007-12-16 09:43:07
|
On Fri, Dec 14, 2007 at 08:32:37PM +0000, Lutz MXller wrote: > Update of /cvsroot/libexif/libexif/libexif > In directory sc8-pr-cvs6.sourceforge.net:/tmp/cvs-serv28701/libexif > > Modified Files: > exif-data.c > Log Message: > 2007-12-14 Lutz Mueller <lu...@us...> > > Bug pointed out by Meder Kydyraliev, Google Security Team: > > * libexif/exif-data.c: (exif_data_load_data_thumbnail) Ignore bugus > data. > > > Index: exif-data.c > =================================================================== > RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v > retrieving revision 1.102 > retrieving revision 1.103 > diff -u -p -d -r1.102 -r1.103 > --- exif-data.c 7 Dec 2007 08:46:48 -0000 1.102 > +++ exif-data.c 14 Dec 2007 20:32:35 -0000 1.103 > @@ -299,10 +299,9 @@ static void > exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d, > unsigned int ds, ExifLong offset, ExifLong size) > { > - if (ds < offset + size) { > + if ((ds < offset + size) || (offset < 0) || (offset > ds)) { Same here. offset < 0 is never true, so perhaps use (size > UINT_MAX - offset) Ciao, Marcus |