[libexif-cvs] libexif/libexif/pentax mnote-pentax-entry.c, 1.26, 1.27

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/libexif/libexif/libexif/pentax
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv31300/pentax

Modified Files:
	mnote-pentax-entry.c 
Log Message:
fixes some (not all) buffer overreads during decoding pentax makernote entries.

This should fix:
https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328


Index: mnote-pentax-entry.c
===================================================================
RCS file: /cvsroot/libexif/libexif/libexif/pentax/mnote-pentax-entry.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27

--- mnote-pentax-entry.c	26 May 2017 13:13:14 -0000	1.26
+++ mnote-pentax-entry.c	25 Jul 2017 21:44:44 -0000	1.27
@@ -425,24 +425,34 @@
 		case EXIF_FORMAT_SHORT:
 		  {
 			const unsigned char *data = entry->data;
-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 2)
+					break;
 				vs = exif_get_short (data, entry->order);
 				snprintf (val+len, maxlen-len, "%i ", vs);
 				len = strlen(val);
 				data += 2;
+				sizeleft -= 2;
 			}
 		  }
 		  break;
 		case EXIF_FORMAT_LONG:
 		  {
 			const unsigned char *data = entry->data;
-		  	size_t k, len = strlen(val);
+		  	size_t k, len = strlen(val), sizeleft;
+
+			sizeleft = entry->size;
 		  	for(k=0; k<entry->components; k++) {
+				if (sizeleft < 4)
+					break;
 				vl = exif_get_long (data, entry->order);
 				snprintf (val+len, maxlen-len, "%li", (long int) vl);
 				len = strlen(val);
 				data += 4;
+				sizeleft -= 4;
 			}
 		  }
 		  break;
@@ -455,5 +465,5 @@
 		break;
 	}
 
-	return (val);
+	return val;
 }



