[SCM] exiv2 packaging branch, master, updated. debian/0.25-3.1-3734-gdcbc29a
Maximiliano Curia
maxy at moszumanska.debian.org
Thu Jul 13 17:37:48 UTC 2017
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-extras/exiv2.git;a=commitdiff;h=1d6a869
The following commit has been merged in the master branch:
commit 1d6a869c1ce8379c44725007765ca5161664211a
Author: Andreas Huggel <ahuggel at gmx.net>
Date: Wed Aug 2 14:16:10 2006 +0000
More checks and sanity tests. Improves fix for bug #482.
---
src/tiffvisitor.cpp | 44 ++++++++++++++++++++++++++++++++------------
1 file changed, 32 insertions(+), 12 deletions(-)
diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
index 60a3088..aa17474 100644
--- a/src/tiffvisitor.cpp
+++ b/src/tiffvisitor.cpp
@@ -550,19 +550,28 @@ namespace Exiv2 {
if (p + 2 > pLast_) {
#ifndef SUPPRESS_WARNINGS
std::cerr << "Error: "
- << "Directory " << object->groupName() << ": "
- << " IFD exceeds data buffer, cannot read entry count.
";
+ << "Directory " << object->groupName()
+ << ": IFD exceeds data buffer, cannot read entry count.
";
#endif
return;
}
const uint16_t n = getUShort(p, byteOrder());
p += 2;
+ // Sanity check with an "unreasonably" large number
+ if (n > 512) {
+#ifndef SUPPRESS_WARNINGS
+ std::cerr << "Error: "
+ << "Directory " << object->groupName() << " with "
+ << n << " entries considered invalid; not read.
";
+#endif
+ return;
+ }
for (uint16_t i = 0; i < n; ++i) {
if (p + 12 > pLast_) {
#ifndef SUPPRESS_WARNINGS
std::cerr << "Error: "
- << "Directory " << object->groupName() << ": "
- << " IFD entry " << i
+ << "Directory " << object->groupName()
+ << ": IFD entry " << i
<< " lies outside of the data buffer.
";
#endif
return;
@@ -578,8 +587,8 @@ namespace Exiv2 {
if (p + 4 > pLast_) {
#ifndef SUPPRESS_WARNINGS
std::cerr << "Error: "
- << "Directory " << object->groupName() << ": "
- << " IFD exceeds data buffer, cannot read next pointer.
";
+ << "Directory " << object->groupName()
+ << ": IFD exceeds data buffer, cannot read next pointer.
";
#endif
return;
}
@@ -600,8 +609,8 @@ namespace Exiv2 {
if (baseOffset() + next > size_) {
#ifndef SUPPRESS_WARNINGS
std::cerr << "Error: "
- << "Directory " << object->groupName() << ": "
- << " Next pointer is out of bounds.
";
+ << "Directory " << object->groupName()
+ << ": Next pointer is out of bounds.
";
#endif
return;
}
@@ -728,19 +737,30 @@ namespace Exiv2 {
// Component already has tag
p += 2;
object->type_ = getUShort(p, byteOrder());
- // todo: check type
+ long typeSize = TypeInfo::typeSize(object->typeId());
+ if (0 == typeSize) {
+#ifndef SUPPRESS_WARNINGS
+ std::cerr << "Error: Directory " << object->groupName()
+ << ", entry 0x" << std::setw(4)
+ << std::setfill('0') << std::hex << object->tag()
+ << " has an invalid type:
"
+ << "Type = " << std::dec << object->type_
+ << "; skipping entry.
";
+#endif
+ return;
+ }
p += 2;
object->count_ = getULong(p, byteOrder());
p += 4;
- object->size_ = TypeInfo::typeSize(object->typeId()) * object->count();
+ object->size_ = typeSize * object->count();
object->offset_ = getULong(p, byteOrder());
object->pData_ = p;
if (object->size() > 4) {
if (baseOffset() + object->offset() >= size_) {
#ifndef SUPPRESS_WARNINGS
std::cerr << "Error: Offset of "
- << "directory " << object->groupName() << ", "
- << " entry 0x" << std::setw(4)
+ << "directory " << object->groupName()
+ << ", entry 0x" << std::setw(4)
<< std::setfill('0') << std::hex << object->tag()
<< " is out of bounds:
"
<< "Offset = 0x" << std::setw(8)
--
exiv2 packaging
More information about the pkg-kde-commits
mailing list