31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From 93003b93e50b3d259bd2227d8775b73a53c35d58 Mon Sep 17 00:00:00 2001
|
|
From: Marcus Meissner <meissner@suse.de>
|
|
Date: Fri, 3 Apr 2026 11:18:47 +0200
|
|
Subject: [PATCH] Avoid overflow on 32bit system when reading Nikon MakerNotes
|
|
|
|
The addition o2 = datao + exif_get_long(buf + o2, n->order)
|
|
could have overflowed on systems with 32bit unsigned int size_t.
|
|
|
|
This could have caused out of bound reads of data, leading to
|
|
misparsing of exif / crashes.
|
|
|
|
Reported-By: Kerwin <kerwinxia66001@gmail.com>
|
|
---
|
|
libexif/olympus/exif-mnote-data-olympus.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/libexif/olympus/exif-mnote-data-olympus.c b/libexif/olympus/exif-mnote-data-olympus.c
|
|
index 428f365..37f08ff 100644
|
|
--- a/libexif/olympus/exif-mnote-data-olympus.c
|
|
+++ b/libexif/olympus/exif-mnote-data-olympus.c
|
|
@@ -386,6 +386,7 @@ exif_mnote_data_olympus_load (ExifMnoteData *en,
|
|
o2 += 2;
|
|
|
|
/* Go to where the number of entries is. */
|
|
+ if (CHECKOVERFLOW(o2,buf_size,exif_get_long (buf + o2, n->order))) return;
|
|
o2 = datao + exif_get_long (buf + o2, n->order);
|
|
break;
|
|
|
|
--
|
|
2.53.0
|