You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running jhead 3.06.0.1 on the attached repro case under valgrind results in
==3535479== Memcheck, a memory error detector
==3535479== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3535479== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
[...] (some error messages from jhead removed for brevity)
==3535479== Conditional jump or move depends on uninitialised value(s)
==3535479== at 0x11197F: process_EXIF (exif.c:1042)
==3535479== by 0x10EDBF: ReadJpegSections.part.0 (jpgfile.c:289)
==3535479== by 0x10EFE8: ReadJpegSections (jpgfile.c:125)
==3535479== by 0x10EFE8: ReadJpegFile [(jpgfile.c:381)](url)
==3535479== by 0x10CC16: ProcessFile (jhead.c:914)
==3535479== by 0x10B6DB: main (jhead.c:1770)
The problem still exists in current master.
The problem is that process_EXIF() expects that length >= 16 but does not check that at all (here it is 10). There is check a couple of lines later (executed only under certain conditions), but IMHO this should be checked much sooner (before the EXIF header component check).
Running jhead 3.06.0.1 on the attached repro case under valgrind results in
The problem still exists in current master.
The problem is that process_EXIF() expects that length >= 16 but does not check that at all (here it is 10). There is check a couple of lines later (executed only under certain conditions), but IMHO this should be checked much sooner (before the EXIF header component check).
Original Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968961
The text was updated successfully, but these errors were encountered: