Skip to content
Permalink
Browse files Browse the repository at this point in the history
X3F parser possible buffer overrun
  • Loading branch information
alextutubalin committed Apr 27, 2018
1 parent 87144aa commit efd8cfa
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions src/libraw_cxx.cpp
Expand Up @@ -5484,17 +5484,19 @@ void x3f_clear(void *p)
x3f_delete((x3f_t*)p);
}

static char *utf2char(utf16_t *str, char *buffer)
void utf2char(utf16_t *str, char *buffer, unsigned bufsz)
{
if(bufsz<1) return;
buffer[bufsz-1] = 0;
char *b = buffer;

while (*str != 0x00) {
while (*str != 0x00 && --bufsz>0)
{
char *chr = (char *)str;
*b++ = *chr;
str++;
}
*b = 0;
return buffer;
}

static void *lr_memmem(const void *l, size_t l_len, const void *s, size_t s_len)
Expand Down Expand Up @@ -5555,8 +5557,8 @@ void LibRaw::parse_x3f()
x3f_property_t *P = PL->property_table.element;
for (i=0; i<PL->num_properties; i++) {
char name[100], value[100];
utf2char(P[i].name,name);
utf2char(P[i].value,value);
utf2char(P[i].name,name,sizeof(name));
utf2char(P[i].value,value,sizeof(value));
if (!strcmp (name, "ISO"))
imgdata.other.iso_speed = atoi(value);
if (!strcmp (name, "CAMMANUF"))
Expand Down

0 comments on commit efd8cfa

Please sign in to comment.