summaryrefslogtreecommitdiff
path: root/ext/exif/exif.c
diff options
context:
space:
mode:
Diffstat (limited to 'ext/exif/exif.c')
-rw-r--r--ext/exif/exif.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 67e827b441..3a76d8fde8 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2944,7 +2944,10 @@ static void exif_thumbnail_extract(image_info_type *ImageInfo, char *offset, siz
return;
}
/* Check to make sure we are not going to go past the ExifLength */
- if ((ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length) {
+ if (ImageInfo->Thumbnail.size > length
+ || (ImageInfo->Thumbnail.offset + ImageInfo->Thumbnail.size) > length
+ || ImageInfo->Thumbnail.offset > length - ImageInfo->Thumbnail.size
+ ) {
EXIF_ERRLOG_THUMBEOF(ImageInfo)
return;
}
@@ -3126,7 +3129,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
#endif
const maker_note_type *maker_note;
char *dir_start;
-
+ int data_len;
+
for (i=0; i<=sizeof(maker_note_array)/sizeof(maker_note_type); i++) {
if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) {
#ifdef EXIF_DEBUG
@@ -3180,6 +3184,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
switch (maker_note->offset_mode) {
case MN_OFFSET_MAKER:
offset_base = value_ptr;
+ data_len = value_len;
break;
#ifdef KALLE_0
case MN_OFFSET_GUESS:
@@ -3197,6 +3202,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
return FALSE;
}
offset_base = value_ptr + offset_diff;
+ data_len = value_len - offset_diff;
break;
#endif
default:
@@ -3211,7 +3217,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
for (de=0;de<NumDirEntries;de++) {
if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
- offset_base, IFDlength, displacement, section_index, 0, maker_note->tag_table)) {
+ offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
return FALSE;
}
}
View Lorry Controller Status