Skip to content

Commit e473845

Browse files
committed
Secunia Advisory SA83050: possible infinite loop in parse_minolta()
1 parent 3afcbfd commit e473845

File tree

2 files changed

+14
-0
lines changed

2 files changed

+14
-0
lines changed

Diff for: dcraw/dcraw.c

+7
Original file line numberDiff line numberDiff line change
@@ -15669,11 +15669,18 @@ void CLASS parse_minolta(int base)
1566915669
return;
1567015670
order = fgetc(ifp) * 0x101;
1567115671
offset = base + get4() + 8;
15672+
#ifdef LIBRAW_LIBRARY_BUILD
15673+
if(offset>ifp->size()-8) // At least 8 bytes for tag/len
15674+
offset = ifp->size()-8;
15675+
#endif
15676+
1567215677
while ((save = ftell(ifp)) < offset)
1567315678
{
1567415679
for (tag = i = 0; i < 4; i++)
1567515680
tag = tag << 8 | fgetc(ifp);
1567615681
len = get4();
15682+
if(len < 0)
15683+
return; // just ignore wrong len?? or raise bad file exception?
1567715684
switch (tag)
1567815685
{
1567915686
case 0x505244: /* PRD */

Diff for: internal/dcraw_common.cpp

+7
Original file line numberDiff line numberDiff line change
@@ -14331,11 +14331,18 @@ void CLASS parse_minolta(int base)
1433114331
return;
1433214332
order = fgetc(ifp) * 0x101;
1433314333
offset = base + get4() + 8;
14334+
#ifdef LIBRAW_LIBRARY_BUILD
14335+
if(offset>ifp->size()-8) // At least 8 bytes for tag/len
14336+
offset = ifp->size()-8;
14337+
#endif
14338+
1433414339
while ((save = ftell(ifp)) < offset)
1433514340
{
1433614341
for (tag = i = 0; i < 4; i++)
1433714342
tag = tag << 8 | fgetc(ifp);
1433814343
len = get4();
14344+
if(len < 0)
14345+
return; // just ignore wrong len?? or raise bad file exception?
1433914346
switch (tag)
1434014347
{
1434114348
case 0x505244: /* PRD */

0 commit comments

Comments
 (0)