Skip to content
Permalink
Browse files Browse the repository at this point in the history
ExifParse: Backport further upstream fixes
  • Loading branch information
fritsch committed Jan 3, 2023
1 parent 367cc80 commit 54df944
Showing 1 changed file with 6 additions and 7 deletions.
13 changes: 6 additions & 7 deletions xbmc/pictures/ExifParse.cpp
Expand Up @@ -28,6 +28,7 @@

#include <math.h>
#include <stdio.h>
#include <stdint.h>

#ifndef min
#define min(a,b) (a)>(b)?(b):(a)
Expand Down Expand Up @@ -328,7 +329,6 @@ void CExifParse::ProcessDir(const unsigned char* const DirStart,
memset(IndentString, ' ', 25);
IndentString[NestingLevel * 4] = '\0';


int NumDirEntries = Get16((const void*)DirStart, m_MotorolaOrder);

const unsigned char* const DirEnd = DIR_ENTRY_ADDR(DirStart, NumDirEntries);
Expand Down Expand Up @@ -376,7 +376,7 @@ void CExifParse::ProcessDir(const unsigned char* const DirStart,
unsigned OffsetVal;
OffsetVal = (unsigned)Get32(DirEntry+8, m_MotorolaOrder);
// If its bigger than 4 bytes, the dir entry contains an offset.
if (OffsetVal+ByteCount > ExifLength)
if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength)
{
// Bogus pointer offset and / or bytecount value
ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
Expand Down Expand Up @@ -787,10 +787,10 @@ bool CExifParse::Process (const unsigned char* const ExifSection, const unsigned
pos += sizeof(short);

unsigned long FirstOffset = (unsigned)Get32((const void*)pos, m_MotorolaOrder);
if (FirstOffset < 8 || FirstOffset > 16)
if (FirstOffset < 8 || FirstOffset+8 >= length)
{
// Usually set to 8, but other values valid too.
// CLog::Log(LOGERROR, "ExifParse: suspicious offset of first IFD value");
ErrNonfatal("Invalid offset of first IFD value: %u", FirstOffset, 0);
return false;
}


Expand Down Expand Up @@ -883,7 +883,6 @@ void CExifParse::ProcessGpsInfo(
ErrNonfatal("GPS info directory goes past end of exif", 0, 0);
return;
}

unsigned Tag = Get16(DirEntry, m_MotorolaOrder);
unsigned Format = Get16(DirEntry+2, m_MotorolaOrder);
unsigned Components = (unsigned)Get32(DirEntry+4, m_MotorolaOrder);
Expand All @@ -902,7 +901,7 @@ void CExifParse::ProcessGpsInfo(
{
unsigned OffsetVal = (unsigned)Get32(DirEntry+8, m_MotorolaOrder);
// If its bigger than 4 bytes, the dir entry contains an offset.
if (OffsetVal+ByteCount > ExifLength)
if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount> ExifLength)
{
// Bogus pointer offset and / or bytecount value
ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
Expand Down

0 comments on commit 54df944

Please sign in to comment.