diff options
| author | Dan Fandrich <dan@coneharvesters.com> | 2018-07-04 11:06:09 +0200 |
|---|---|---|
| committer | Dan Fandrich <dan@coneharvesters.com> | 2019-11-05 10:27:54 +0100 |
| commit | f9bb9f263fb00f0603ecbefa8957cad24168cbff (patch) | |
| tree | 585e9d02da08b552ed55436fa8a329c0bc6ee3bf | |
| parent | b4322b18e24a8a636abe8542a0551614fef5ce4b (diff) | |
| download | libexif-f9bb9f263fb00f0603ecbefa8957cad24168cbff.tar.gz libexif-f9bb9f263fb00f0603ecbefa8957cad24168cbff.tar.bz2 libexif-f9bb9f263fb00f0603ecbefa8957cad24168cbff.zip | |
Fix a buffer read overflow in exif_entry_get_value
While parsing EXIF_TAG_FOCAL_LENGTH it was possible to read 8 bytes past
the end of a heap buffer. This was detected by the OSS Fuzz project.
Patch from Google.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7344 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14543
| -rw-r--r-- | libexif/exif-entry.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c index 61260d3..a224ac2 100644 --- a/libexif/exif-entry.c +++ b/libexif/exif-entry.c @@ -1040,12 +1040,12 @@ exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) d = 0.; entry = exif_content_get_entry ( e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MAKE); - if (entry && entry->data && + if (entry && entry->data && entry->size >= 7 && !strncmp ((char *)entry->data, "Minolta", 7)) { entry = exif_content_get_entry ( e->parent->parent->ifd[EXIF_IFD_0], EXIF_TAG_MODEL); - if (entry && entry->data) { + if (entry && entry->data && entry->size >= 8) { if (!strncmp ((char *)entry->data, "DiMAGE 7", 8)) d = 3.9; else if (!strncmp ((char *)entry->data, "DiMAGE 5", 8)) |