third_party/exiv2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix out of bounds read in src/pngchunk_int.cpp by @brianmay

Browse Source 
- consider that key is advanced by 8 bytes if stripHeader is true
  => length is reduced by same amount
  Fixed by adding offset to the check in the loop
- Rewrote loop so that keysize is checked before the next
  iteration (preventing an out of bounds read)
This commit is contained in:
Dan Čermák 2018-01-22 23:56:08 +01:00
parent df4113b765
commit 4429b962e1
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/pngchunk_int.cpp
View File

@ -103,15 +103,17 @@ namespace Exiv2 {
{
// From a tEXt, zTXt, or iTXt chunk,
// we get the key, it's a null terminated string at the chunk start
if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
const byte *key = data.pData_ + (stripHeader ? 8 : 0);
const int offset = stripHeader ? 8 : 0;
if (data.size_ <= offset) throw Error(14);
const byte *key = data.pData_ + offset;
// Find null string at end of key.
int keysize=0;
for ( ; key[keysize] != 0 ; keysize++)
while (key[keysize] != 0)
{
keysize++;
// look if keysize is valid.
if (keysize >= data.size_)
if (keysize+offset >= data.size_)
throw Error(14);
}