30 lines
1.0 KiB
Plaintext
30 lines
1.0 KiB
Plaintext
$OpenBSD: patch-libexif_exif-data_c,v 1.1 2008/11/05 13:11:14 jasper Exp $
|
|
|
|
Fix for CVE-2007-6351: Integer overflow.
|
|
|
|
--- libexif/exif-data.c.orig Wed Nov 5 14:04:58 2008
|
|
+++ libexif/exif-data.c Wed Nov 5 14:05:25 2008
|
|
@@ -288,10 +288,10 @@ static void
|
|
exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
|
|
unsigned int ds, ExifLong offset, ExifLong size)
|
|
{
|
|
- if (ds < offset + size) {
|
|
+ if ((ds < offset + size) || (offset > ds)) {
|
|
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
|
|
- "Bogus thumbnail offset and size: %i < %i + %i.",
|
|
- (int) ds, (int) offset, (int) size);
|
|
+ "Bogus thumbnail offset (%u) or size (%u).",
|
|
+ offset, size);
|
|
return;
|
|
}
|
|
if (data->data)
|
|
@@ -314,7 +314,7 @@ if ((i) == ifd) { \
|
|
} \
|
|
if (data->ifd[(i)]->count) { \
|
|
exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, \
|
|
- "ExifData", "Attemt to load IFD " \
|
|
+ "ExifData", "Attempt to load IFD " \
|
|
"'%s' multiple times detected. " \
|
|
"Skipping...", \
|
|
exif_ifd_get_name (i)); \
|