Mercurial > geeqie
comparison src/exif.c @ 1697:219e1ba3ae30
Fix a overrun
data_offset + data_length could be bigger than guint which makes the
calculation overflow to a value smaller then size.
| author | mow |
|---|---|
| date | Sat, 18 Jul 2009 08:16:54 +0000 |
| parents | 59c72fd324ce |
| children | 1cff176f8144 |
comparison
equal
deleted
inserted
replaced
| 1696:1c31b33a3138 | 1697:219e1ba3ae30 |
|---|---|
| 925 | 925 |
| 926 data_length = ExifFormatList[marker->format].size * count; | 926 data_length = ExifFormatList[marker->format].size * count; |
| 927 if (data_length > 4) | 927 if (data_length > 4) |
| 928 { | 928 { |
| 929 data_offset = data_val; | 929 data_offset = data_val; |
| 930 if (size < data_offset + data_length) | 930 if (size < data_offset || size < data_offset + data_length) |
| 931 { | 931 { |
| 932 log_printf("warning: exif tag %s data will overrun end of file, ignored.\n", marker->key); | 932 log_printf("warning: exif tag %s data will overrun end of file, ignored.\n", marker->key); |
| 933 return -1; | 933 return -1; |
| 934 } | 934 } |
| 935 } | 935 } |