762cbe96aa
fixes CVE-2016-3822, patch origin:
bae671597d
19 lines
673 B
Diff
19 lines
673 B
Diff
--- exif.c
|
|
+++ exif.c
|
|
@@ -9,6 +9,7 @@
|
|
#include "jhead.h"
|
|
|
|
#include <math.h>
|
|
+#include <stdint.h>
|
|
|
|
static unsigned char * DirWithThumbnailPtrs;
|
|
static double FocalplaneXRes;
|
|
@@ -527,7 +528,7 @@
|
|
unsigned OffsetVal;
|
|
OffsetVal = Get32u(DirEntry+8);
|
|
// If its bigger than 4 bytes, the dir entry contains an offset.
|
|
- if (OffsetVal+ByteCount > ExifLength){
|
|
+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
|
|
// Bogus pointer offset and / or bytecount value
|
|
ErrNonfatal("Illegal value pointer for tag %04x in Exif", Tag,0);
|
|
continue;
|