| From b7890776c62398ca1005e8edc32786859d60fcf7 Mon Sep 17 00:00:00 2001 |
| From: Jens Georg <mail@jensge.org> |
| Date: Sun, 6 Oct 2019 15:05:20 +0200 |
| Subject: [PATCH] crwimage: Check offset and size against total size |
| |
| Corrupted or specially crafted CRW images might exceed the overall |
| buffersize. |
| |
| Fixes #1019 |
| |
| (cherry picked from commit 683451567284005cd24e1ccb0a76ca401000968b) |
| [Retrieved (and slightly updated to keep only the fix) from: |
| https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec] |
| Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> |
| --- |
| src/crwimage_int.cpp | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp |
| index 29311fdb7..c0d955350 100644 |
| --- a/src/crwimage_int.cpp |
| +++ b/src/crwimage_int.cpp |
| @@ -268,6 +268,9 @@ namespace Exiv2 { |
| #ifdef EXIV2_DEBUG_MESSAGES |
| std::cout << "Reading directory 0x" << std::hex << tag() << "\n"; |
| #endif |
| + if (this->offset() + this->size() > size) |
| + throw Error(kerOffsetOutOfRange); |
| + |
| readDirectory(pData + offset(), this->size(), byteOrder); |
| #ifdef EXIV2_DEBUG_MESSAGES |
| std::cout << "<---- 0x" << std::hex << tag() << "\n"; |