Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix integer overflow in WebPImage::getHeaderOffset #962

Merged
merged 2 commits into from Jul 15, 2019
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev
Fix integer overflow by checking size against header_size
Note that the problem occurs when data_size is less than header_size
what causes a buffer overflow in &data[i]

Co-Authored-By: D4N <dan.cermak@cgc-instruments.com>
  • Loading branch information
piponazo and D4N committed Jul 15, 2019
commit e925bc5addd881543fa503470c8a859e112cca62
5 changes: 3 additions & 2 deletions src/webpimage.cpp
Expand Up @@ -827,8 +827,9 @@ namespace Exiv2 {
}
}

long WebPImage::getHeaderOffset(byte *data, long data_size,
byte *header, long header_size) {
long WebPImage::getHeaderOffset(byte* data, long data_size, byte* header, long header_size)
{
if (data_size < header_size) { return -1; }
long pos = -1;
for (long i=0; i < data_size - header_size; i++) {
if (memcmp(header, &data[i], header_size) == 0) {
Expand Down