30 lines
1.2 KiB
Diff
30 lines
1.2 KiB
Diff
From c98d372b48adc6de859dc04e2e0c33441cfe136c Mon Sep 17 00:00:00 2001
|
|
From: Pydera <pydera@mailbox.org>
|
|
Date: Thu, 8 Apr 2021 17:11:38 +0200
|
|
Subject: [PATCH] Fix out of buffer access in #1530
|
|
|
|
---
|
|
src/crwimage_int.cpp | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/crwimage.cpp b/src/crwimage.cpp
|
|
index a44a67e2c..9155e0042 100644
|
|
--- a/src/crwimage.cpp
|
|
+++ b/src/crwimage.cpp
|
|
@@ -1186,11 +1186,13 @@ namespace Exiv2 {
|
|
CiffComponent* cc = pHead->findComponent(pCrwMapping->crwTagId_,
|
|
pCrwMapping->crwDir_);
|
|
if (edX != edEnd || edY != edEnd || edO != edEnd) {
|
|
- uint32_t size = 28;
|
|
+ size_t size = 28;
|
|
if (cc && cc->size() > size) size = cc->size();
|
|
DataBuf buf(size);
|
|
std::memset(buf.pData_, 0x0, buf.size_);
|
|
- if (cc) std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
|
|
+ if (cc && cc->size() > 8) {
|
|
+ std::memcpy(buf.pData_ + 8, cc->pData() + 8, cc->size() - 8);
|
|
+ }
|
|
if (edX != edEnd && edX->size() == 4) {
|
|
edX->copy(buf.pData_, pHead->byteOrder());
|
|
}
|