File 0001-IptcData-printStructure-Remove-buffer-over... of Package exiv2.26596

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-IptcData-printStructure-Remove-buffer-overrun.patch of Package exiv2.26596

From f9b4f4669e2d181a22235bbd3f108b55542abbb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
Date: Fri, 6 Jul 2018 11:39:45 +0200
Subject: [PATCH] [IptcData::printStructure] Remove buffer overrun

The loop condition will perform a range check correctly, but it will always
dereference bytes[i], even if i is too large and fails the second check.
=> move the bytes[i] == 0x1c check into a if, after the range check was
successfull

(cherry picked from commit b2c3b61abcdb8e1a904e7c3f8b9f683c1b0b5668)
---
 src/iptc.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/iptc.cpp b/src/iptc.cpp
index 99f5ee5b..fc3df043 100644
--- a/src/iptc.cpp
+++ b/src/iptc.cpp
@@ -359,7 +359,10 @@ namespace Exiv2 {
 		while  ( i < size-3 && bytes[i] != 0x1c ) i++;
 		depth++;
 		out << Internal::indent(depth) << "Record | DataSet | Name                     | Length | Data" << std::endl;
-		while ( bytes[i] == 0x1c && i < size-3 ) {
+		while ( i < size-3 ) {
+                        if (bytes[i] != 0x1c) {
+                                break;
+                        }
 			char buff[100];
 			uint16_t record  = bytes[i+1];
 			uint16_t dataset = bytes[i+2];
-- 
2.25.1

Places

File 0001-IptcData-printStructure-Remove-buffer-overrun.patch of Package exiv2.26596

Places