blob: c6b5166adb09cef32acc07d414bbcdbf2bc42bc2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From cb2467834d118ae11526f7d24a699799ce5c4912 Mon Sep 17 00:00:00 2001
From: Jens Georg <mail@jensge.org>
Date: Sun, 6 Oct 2019 15:05:20 +0200
Subject: [PATCH 1/2] crwimage: Check offset and size against total size
Corrupted or specially crafted CRW images might exceed the overall
buffersize.
Fixes #1019
(cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b)
---
src/crwimage.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
index 989c0eb8..a0978aaf 100644
--- a/src/crwimage.cpp
+++ b/src/crwimage.cpp
@@ -448,6 +448,9 @@ namespace Exiv2 {
#ifdef DEBUG
std::cout << "Reading directory 0x" << std::hex << tag() << "\n";
#endif
+ if (this->offset() + this->size() > size)
+ throw Error(26);
+
readDirectory(pData + offset(), this->size(), byteOrder);
#ifdef DEBUG
std::cout << "<---- 0x" << std::hex << tag() << "\n";
--
2.24.1
|
