Fix stack buffer overflows in exif_content_dump and exif_entry_dump.

If too large an indent is given, a local buffer will overflow. This can't happen when called through exif_data_dump (which is likely the most common case) and since they are documented as being for diagnostic purposes only, this shouldn't pose too big a security risk in the wild. Reported-by: jonnygrant. (not exploitable by malicious data)
libexif · May 16, 2020 · bbd35b1 · bbd35b1
1 parent ec412aa
commit bbd35b1
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/libexif/exif-content.c b/libexif/exif-content.c
@@ -120,15 +120,15 @@ void
 exif_content_dump (ExifContent *content, unsigned int indent)
 {
 	char buf[1024];
-	unsigned int i;
-
-	for (i = 0; i < 2 * indent; i++)
-		buf[i] = ' ';
-	buf[i] = '\0';
+	unsigned int i, l;
 
 	if (!content)
 		return;
 
+	l = MIN(sizeof(buf)-1, 2*indent);
+	memset(buf, ' ', l);
+	buf[l] = '\0';
+
 	printf ("%sDumping exif content (%u entries)...\n", buf,
 		content->count);
 	for (i = 0; i < content->count; i++)

diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
@@ -597,15 +597,15 @@ exif_entry_dump (ExifEntry *e, unsigned int indent)
 {
 	char buf[1024];
 	char value[1024];
-	unsigned int i;
-
-	for (i = 0; i < 2 * indent; i++)
-		buf[i] = ' ';
-	buf[i] = '\0';
+	unsigned int l;
 
 	if (!e)
 		return;
 
+	l = MIN(sizeof(buf)-1, 2*indent);
+	memset(buf, ' ', l);
+	buf[l] = '\0';
+
 	printf ("%sTag: 0x%x ('%s')\n", buf, e->tag,
 		exif_tag_get_name_in_ifd (e->tag, exif_entry_get_ifd(e)));
 	printf ("%s  Format: %i ('%s')\n", buf, e->format,