--- libexif-0.6.13/libexif/exif-data.c.cve-2007-4168 2005-08-22 16:32:02.000000000 -0400 +++ libexif-0.6.13/libexif/exif-data.c 2007-06-13 15:12:22.000000000 -0400 @@ -155,7 +155,7 @@ exif_data_new_from_data (const unsigned return (edata); } -static void +static int exif_data_load_data_entry (ExifData *data, ExifEntry *entry, const unsigned char *d, unsigned int size, unsigned int offset) @@ -174,9 +174,15 @@ exif_data_load_data_entry (ExifData *dat * Size? If bigger than 4 bytes, the actual data is not * in the entry but somewhere else (offset). */ - s = exif_format_get_size (entry->format) * entry->components; - if (!s) - return; + /* {0,1,2,4,8} x { 0x00000000 .. 0xffffffff } + * -> { 0x000000000 .. 0x7fffffff8 } */ + s = exif_format_get_size(entry->format) * entry->components; + if (s < entry->components) { + return 0; + } + if (0 == s) + return 0; + if (s > 4) doff = exif_get_long (d + offset + 8, data->priv->order); else @@ -184,7 +190,7 @@ exif_data_load_data_entry (ExifData *dat /* Sanity check */ if (size < doff + s) - return; + return 0; entry->data = exif_data_alloc (data, s); if (entry->data) { @@ -203,6 +209,8 @@ exif_data_load_data_entry (ExifData *dat entry->data[6]); data->priv->offset_mnote = doff; } + + return 1; } static void @@ -413,9 +421,9 @@ exif_data_load_data_content (ExifData *d break; } entry = exif_entry_new_mem (data->priv->mem); - exif_data_load_data_entry (data, entry, d, ds, - offset + 12 * i); - exif_content_add_entry (data->ifd[ifd], entry); + if (exif_data_load_data_entry (data, entry, d, ds, + offset + 12 * i)) + exif_content_add_entry (data->ifd[ifd], entry); exif_entry_unref (entry); break; }