From: Hans U. N. <hu...@us...> - 2007-06-12 15:50:22
|
Update of /cvsroot/libexif/libexif/libexif In directory sc8-pr-cvs6.sourceforge.net:/tmp/cvs-serv12888/libexif Modified Files: exif-data.c Log Message: libexif-0.6.16 (fixes CVE-2006-4168) Index: exif-data.c =================================================================== RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v retrieving revision 1.94 retrieving revision 1.95 diff -u -p -d -r1.94 -r1.95 --- exif-data.c 14 May 2007 05:43:10 -0000 1.94 +++ exif-data.c 12 Jun 2007 15:50:16 -0000 1.95 @@ -167,13 +167,18 @@ exif_data_load_data_entry (ExifData *dat "Loading entry 0x%x ('%s')...", entry->tag, exif_tag_get_name (entry->tag)); + /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff } + * -> { 0x000000000 .. 0x7fffffff8 } */ + s = exif_format_get_size(entry->format) * entry->components; + if (s < entry->components) { + return 0; + } + if (0 == s) + return 0; /* * Size? If bigger than 4 bytes, the actual data is not * in the entry but somewhere else (offset). */ - s = exif_format_get_size (entry->format) * entry->components; - if (!s) - return 0; if (s > 4) doff = exif_get_long (d + offset + 8, data->priv->order); else |