From 77616c3204bc65028129edbc3375c8671fe551cb Mon Sep 17 00:00:00 2001 From: Robin Mills Date: Fri, 14 Apr 2017 19:42:53 +0000 Subject: [PATCH] #1289 Thanks to Asdiel (AlienSkin) for reporting this and providing a test file. Thanks to Ben for investigation and patch. --- src/image.cpp | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/src/image.cpp b/src/image.cpp index 7a5d2d27..0d828045 100644 --- a/src/image.cpp +++ b/src/image.cpp @@ -374,6 +374,13 @@ namespace Exiv2 { uint32_t count = byteSwap4(dir,4,bSwap); uint32_t offset = byteSwap4(dir,8,bSwap); + // Break for unknown tag types else we may get segfault. + if ( !typeValid(type) ) { + std::cerr << "invalid type value detected in Image::printIFDStructure: " << type << std::endl; + start = 0; // break from do loop + break; // break from for loop + } + std::string sp = "" ; // output spacer //prepare to print the value @@ -391,12 +398,6 @@ namespace Exiv2 { : 1 ; - // Break for unknown tag types else we may get segfault. - if ( !typeValid(type) ) { - std::cerr << "invalid type value detected in Image::printIFDStructure: " << type << std::endl; - break; - } - // if ( offset > io.size() ) offset = 0; // Denial of service? DataBuf buf(size*count + pad+20); // allocate a buffer std::memcpy(buf.pData_,dir.pData_+8,4); // copy dir[8:11] into buffer (short strings) @@ -486,14 +487,16 @@ namespace Exiv2 { out.write((const char*)buf.pData_,count); } } - io.read(dir.pData_, 4); - start = tooBig ? 0 : byteSwap4(dir,0,bSwap); - out.flush(); + if ( start ) { + io.read(dir.pData_, 4); + start = tooBig ? 0 : byteSwap4(dir,0,bSwap); + } } while (start) ; if ( bPrint ) { out << Internal::indent(depth) << "END " << io.path() << std::endl; } + out.flush(); depth--; }