23 lines
662 B
Diff
23 lines
662 B
Diff
Patch to prevent integer overflow that might result in out-of-bound
|
|
write in memcpy() #240055
|
|
|
|
Index: libexif/exif-data.c
|
|
===================================================================
|
|
RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
|
|
retrieving revision 1.89
|
|
retrieving revision 1.90
|
|
diff -u -p -r1.89 -r1.90
|
|
--- libexif/exif-data.c 9 May 2007 06:09:05 -0000 1.89
|
|
+++ libexif/exif-data.c 10 May 2007 14:32:01 -0000 1.90
|
|
@@ -179,7 +179,9 @@ exif_data_load_data_entry (ExifData *dat
|
|
else
|
|
doff = offset + 8;
|
|
|
|
- /* Sanity check */
|
|
+ /* Sanity checks */
|
|
+ if ((doff + s < doff) || (doff + s < s))
|
|
+ return 0;
|
|
if (size < doff + s)
|
|
return 0;
|
|
|