46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
|
From e40c9c148e4d2135d0d732b8dff994a9afde3394 Mon Sep 17 00:00:00 2001
|
||
|
|
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
|
||
|
|
Date: Fri, 6 Jul 2018 11:51:55 +0200
|
||
|
|
Subject: [PATCH] Remove buffer overread in tExtToDataBuf
|
||
|
|
|
||
|
|
The pointer p is advanced in the while loop to step over three '\n'.
|
||
|
|
However, its length is never reduced accordingly. => the length check in the
|
||
|
|
following for loop is invalid, as it permits overreading by the number of
|
||
|
|
characters that p was advanced by.
|
||
|
|
---
|
||
|
|
src/pngimage.cpp | 15 ++++++++++++---
|
||
|
|
1 file changed, 12 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/pngimage.cpp b/src/pngimage.cpp
|
||
|
|
index dc623c4..a99a20b 100644
|
||
|
|
--- a/src/pngimage.cpp
|
||
|
|
+++ b/src/pngimage.cpp
|
||
|
|
@@ -160,12 +160,21 @@ namespace Exiv2 {
|
||
|
|
}
|
||
|
|
|
||
|
|
// calculate length and allocate result;
|
||
|
|
+ // count: number of \n in the header
|
||
|
|
long count=0;
|
||
|
|
+ // p points to the current position in the array bytes
|
||
|
|
const byte* p = bytes ;
|
||
|
|
- // header is \nsomething\n number\n hex
|
||
|
|
- while ( count < 3 )
|
||
|
|
- if ( *p++ == '\n' )
|
||
|
|
+
|
||
|
|
+ // header is '\nsomething\n number\n hex'
|
||
|
|
+ // => increment p until it points to the byte after the last \n
|
||
|
|
+ // p must stay within bounds of the bytes array!
|
||
|
|
+ while ((count < 3) && (p - bytes < length)) {
|
||
|
|
+ // length is later used for range checks of p => decrement it for each increment of p
|
||
|
|
+ --length;
|
||
|
|
+ if ( *p++ == '\n' ) {
|
||
|
|
count++;
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
for ( long i = 0 ; i < length ; i++ )
|
||
|
|
if ( value[p[i]] )
|
||
|
|
++count;
|
||
|
|
--
|
||
|
|
1.8.3.1
|
||
|
|
|