22 lines
807 B
Diff
22 lines
807 B
Diff
--- libexif-0.6.13/libexif/exif-data.c.cve-2007-4168 2005-08-22 16:32:02.000000000 -0400
|
|
+++ libexif-0.6.13/libexif/exif-data.c 2007-06-12 12:14:35.000000000 -0400
|
|
@@ -174,9 +174,15 @@ exif_data_load_data_entry (ExifData *dat
|
|
* Size? If bigger than 4 bytes, the actual data is not
|
|
* in the entry but somewhere else (offset).
|
|
*/
|
|
- s = exif_format_get_size (entry->format) * entry->components;
|
|
- if (!s)
|
|
- return 0;
|
|
+ /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff }
|
|
+ * -> { 0x000000000 .. 0x7fffffff8 } */
|
|
+ s = exif_format_get_size(entry->format) * entry->components;
|
|
+ if (s < entry->components) {
|
|
+ return 0;
|
|
+ }
|
|
+ if (0 == s)
|
|
+ return 0;
|
|
+
|
|
if (s > 4)
|
|
doff = exif_get_long (d + offset + 8, data->priv->order);
|
|
else
|