Skip to content

Commit

Permalink
handle illegal offsets earlier
Browse files Browse the repository at this point in the history 
Bail out if an offset runs over the datasize.

fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20065&q=libexif&can=2
  • Loading branch information
@msmeissn
msmeissn committed May 17, 2020
1 parent 3454046 commit cdf1e32
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions libexif/exif-data.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,11 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd,
case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
o = exif_get_long (d + offset + 12 * i + 8,
data->priv->order);
if (o >= ds) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
"Tag data past end of buffer (%u > %u)", offset+2, ds);
return;
}
/* FIXME: IFD_POINTER tags aren't marked as being in a
* specific IFD, so exif_tag_get_name_in_ifd won't work
*/
Expand Down

0 comments on commit cdf1e32

Please sign in to comment.