Mercurial > geeqie.yaz
comparison src/exif.c @ 1674:d5c921f9bb4c
Fix a overrun
data_offset + data_length could be bigger than guint which makes the
calculation overflow to a value smaller then size.
author | mow |
---|---|
date | Sat, 18 Jul 2009 08:16:54 +0000 |
parents | ece97f3f2305 |
children |
comparison
equal
deleted
inserted
replaced
1673:5f272d19dabe | 1674:d5c921f9bb4c |
---|---|
925 | 925 |
926 data_length = ExifFormatList[marker->format].size * count; | 926 data_length = ExifFormatList[marker->format].size * count; |
927 if (data_length > 4) | 927 if (data_length > 4) |
928 { | 928 { |
929 data_offset = data_val; | 929 data_offset = data_val; |
930 if (size < data_offset + data_length) | 930 if (size < data_offset || size < data_offset + data_length) |
931 { | 931 { |
932 log_printf("warning: exif tag %s data will overrun end of file, ignored.\n", marker->key); | 932 log_printf("warning: exif tag %s data will overrun end of file, ignored.\n", marker->key); |
933 return -1; | 933 return -1; |
934 } | 934 } |
935 } | 935 } |