Skip to content

Commit f0c505a

Browse files
committed
X3F property table list fix
1 parent 895529f commit f0c505a

File tree

3 files changed

+15
-13
lines changed

3 files changed

+15
-13
lines changed

Diff for: internal/dcraw_common.cpp

+1
Original file line numberDiff line numberDiff line change
@@ -17602,6 +17602,7 @@ void CLASS identify()
1760217602
tiff_ifd[i].dng_levels.analogbalance[c] = 1.0f;
1760317603
}
1760417604
#endif
17605+
1760517606
memset(gpsdata, 0, sizeof gpsdata);
1760617607
memset(cblack, 0, sizeof cblack);
1760717608
memset(white, 0, sizeof white);

Diff for: internal/libraw_x3f.cpp

+3-11
Original file line numberDiff line numberDiff line change
@@ -121,8 +121,6 @@ typedef struct x3f_property_s {
121121
/* Computed */
122122
utf16_t *name; /* 0x0000 terminated UTF 16 */
123123
utf16_t *value; /* 0x0000 terminated UTF 16 */
124-
char *name_utf8; /* converted to UTF 8 */
125-
char *value_utf8; /* converted to UTF 8 */
126124
} x3f_property_t;
127125

128126
typedef struct x3f_property_table_s {
@@ -516,7 +514,6 @@ unsigned x3f_get4(LibRaw_abstract_datastream *f)
516514
int _cur = _file->_func(_buffer,1,_left); \
517515
if (_cur == 0) { \
518516
throw LIBRAW_EXCEPTION_IO_CORRUPT; \
519-
exit(1); \
520517
} \
521518
_left -= _cur; \
522519
} \
@@ -912,11 +909,6 @@ static void free_camf_entry(camf_entry_t *entry)
912909
if (PL)
913910
{
914911
int i;
915-
916-
for (i = 0; i < PL->property_table.size; i++) {
917-
FREE(PL->property_table.element[i].name_utf8);
918-
FREE(PL->property_table.element[i].value_utf8);
919-
}
920912
}
921913
FREE(PL->property_table.element);
922914
FREE(PL->data);
@@ -1624,14 +1616,14 @@ static void x3f_load_property_list(x3f_info_t *I, x3f_directory_entry_t *DE)
16241616

16251617
if (!PL->data_size)
16261618
PL->data_size = read_data_block(&PL->data, I, DE, 0);
1619+
uint32_t maxoffset = PL->data_size/sizeof(utf16_t)-2; // at least 2 chars, value + terminating 0x0000
16271620

16281621
for (i=0; i<PL->num_properties; i++) {
16291622
x3f_property_t *P = &PL->property_table.element[i];
1630-
1623+
if(P->name_offset > maxoffset || P->value_offset > maxoffset)
1624+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
16311625
P->name = ((utf16_t *)PL->data + P->name_offset);
16321626
P->value = ((utf16_t *)PL->data + P->value_offset);
1633-
P->name_utf8 = 0;// utf16le_to_utf8(P->name);
1634-
P->value_utf8 = 0;//utf16le_to_utf8(P->value);
16351627
}
16361628
}
16371629

Diff for: src/libraw_cxx.cpp

+11-2
Original file line numberDiff line numberDiff line change
@@ -6143,21 +6143,30 @@ void LibRaw::parse_x3f()
61436143
imgdata.sizes.raw_width = ID->columns;
61446144
imgdata.sizes.raw_height = ID->rows;
61456145
// Parse other params from property section
6146+
61466147
DE = x3f_get_prop(x3f);
61476148
if ((x3f_load_data(x3f, DE) == X3F_OK))
61486149
{
61496150
// Parse property list
61506151
DEH = &DE->header;
61516152
x3f_property_list_t *PL = &DEH->data_subsection.property_list;
6153+
utf16_t *datap = (utf16_t*) PL->data;
6154+
uint32_t maxitems = PL->data_size/sizeof(utf16_t);
61526155
if (PL->property_table.size != 0)
61536156
{
61546157
int i;
61556158
x3f_property_t *P = PL->property_table.element;
61566159
for (i = 0; i < PL->num_properties; i++)
61576160
{
61586161
char name[100], value[100];
6159-
utf2char(P[i].name, name,sizeof(name));
6160-
utf2char(P[i].value, value,sizeof(value));
6162+
int noffset = (P[i].name - datap);
6163+
int voffset = (P[i].value - datap);
6164+
if(noffset < 0 || noffset>maxitems || voffset<0 || voffset>maxitems)
6165+
throw LIBRAW_EXCEPTION_IO_CORRUPT;
6166+
int maxnsize = maxitems - (P[i].name - datap);
6167+
int maxvsize = maxitems - (P[i].value - datap);
6168+
utf2char(P[i].name, name,MIN(maxnsize,sizeof(name)));
6169+
utf2char(P[i].value, value,MIN(maxvsize,sizeof(value)));
61616170
if (!strcmp(name, "ISO"))
61626171
imgdata.other.iso_speed = atoi(value);
61636172
if (!strcmp(name, "CAMMANUF"))

0 commit comments

Comments
 (0)