Skip to content

Commit

Permalink
exif: fix integer overflow in position check
Browse files Browse the repository at this point in the history
Resolves #1043
  • Loading branch information
bradh committed Dec 1, 2023
1 parent 5e19d8b commit 06f4cfd
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions libheif/exif.cc
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@

static int32_t read32(const uint8_t* data, int size, int pos, bool littleEndian)
{
if (pos + 4 > size) {
if (pos > size - 4) {
return -1;
}

Expand All @@ -45,7 +45,7 @@ static int32_t read32(const uint8_t* data, int size, int pos, bool littleEndian)

static int32_t read16(const uint8_t* data, int size, int pos, bool littleEndian)
{
if (pos + 2 > size) {
if (pos > size - 2) {
return -1;
}

Expand All @@ -62,7 +62,7 @@ static int32_t read16(const uint8_t* data, int size, int pos, bool littleEndian)

static void write16(uint8_t* data, int size, int pos, uint16_t value, bool littleEndian)
{
if (pos + 2 > size) {
if (pos > size - 2) {
return;
}

Expand Down Expand Up @@ -95,18 +95,18 @@ static int find_exif_tag(const uint8_t* exif, int size, uint16_t query_tag, boo
assert(out_littleEndian);
*out_littleEndian = littleEndian;

int offset = read32(exif, size, 4, littleEndian);
int32_t offset = read32(exif, size, 4, littleEndian);
if (offset < 0) {
return -1;
}

int cnt = read16(exif, size, offset, littleEndian);
int32_t cnt = read16(exif, size, offset, littleEndian);
if (cnt < 1) {
return -1;
}

for (int i = 0; i < cnt; i++) {
int tag = read16(exif, size, offset + 2 + i * 12, littleEndian);
int32_t tag = read16(exif, size, offset + 2 + i * 12, littleEndian);
if (tag == query_tag) {
return offset + 2 + i * 12;
}
Expand Down Expand Up @@ -149,8 +149,8 @@ int read_exif_orientation_tag(const uint8_t* exif, int size)
return DEFAULT_EXIF_ORIENTATION;
}

int type = read16(exif, size, pos + 2, little_endian);
int count = read32(exif, size, pos + 4, little_endian);
int32_t type = read16(exif, size, pos + 2, little_endian);
int32_t count = read32(exif, size, pos + 4, little_endian);

if (type == EXIF_TYPE_SHORT && count == 1) {
return read16(exif, size, pos + 8, little_endian);
Expand Down

0 comments on commit 06f4cfd

Please sign in to comment.