31 lines
856 B
Diff
31 lines
856 B
Diff
--- libexif-0.5.12/libexif/exif-data.c.buffer-overflow 2005-03-08 05:24:31.000000000 -0500
|
|
+++ libexif-0.5.12/libexif/exif-data.c 2005-03-08 05:26:30.000000000 -0500
|
|
@@ -551,7 +551,7 @@
|
|
#endif
|
|
|
|
/* Byte order (offset 6, length 2) */
|
|
- if (size < 12)
|
|
+ if (size < 14)
|
|
return;
|
|
if (!memcmp (d + 6, "II", 2))
|
|
data->priv->order = EXIF_BYTE_ORDER_INTEL;
|
|
@@ -570,12 +570,18 @@
|
|
printf ("IFD 0 at %i.\n", (int) offset);
|
|
#endif
|
|
|
|
+ if (ds < 6 + 4 + offset)
|
|
+ return;
|
|
+
|
|
/* Parse the actual exif data (offset 14) */
|
|
exif_data_load_data_content (data, data->ifd[EXIF_IFD_0], d + 6,
|
|
size - 6, offset);
|
|
|
|
/* IFD 1 offset */
|
|
n = exif_get_short (d + 6 + offset, data->priv->order);
|
|
+ if (ds < 6 + offset + 2 + 12 * n + 4)
|
|
+ return;
|
|
+
|
|
offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order);
|
|
if (offset) {
|
|
#ifdef DEBUG
|