Blame SOURCES/exiv2-CVE-2018-11531.patch
|
 |
340e69 |
diff --git a/src/preview.cpp b/src/preview.cpp
|
|
|
340e69 |
index c34c8bd..69f8e01 100644
|
|
|
340e69 |
--- a/src/preview.cpp
|
|
|
340e69 |
+++ b/src/preview.cpp
|
|
|
340e69 |
@@ -36,6 +36,7 @@ EXIV2_RCSID("@(#) $Id$")
|
|
|
340e69 |
|
|
|
340e69 |
#include "preview.hpp"
|
|
|
340e69 |
#include "futils.hpp"
|
|
|
340e69 |
+#include "enforce.hpp"
|
|
|
340e69 |
|
|
|
340e69 |
#include "image.hpp"
|
|
|
340e69 |
#include "cr2image.hpp"
|
|
|
340e69 |
@@ -807,13 +808,14 @@ namespace {
|
|
|
340e69 |
else {
|
|
|
340e69 |
// FIXME: the buffer is probably copied twice, it should be optimized
|
|
|
340e69 |
DataBuf buf(size_);
|
|
|
340e69 |
- Exiv2::byte* pos = buf.pData_;
|
|
|
340e69 |
+ uint32_t idxBuf = 0;
|
|
|
340e69 |
for (int i = 0; i < sizes.count(); i++) {
|
|
|
340e69 |
uint32_t offset = dataValue.toLong(i);
|
|
|
340e69 |
uint32_t size = sizes.toLong(i);
|
|
|
340e69 |
- if (offset + size <= static_cast<uint32_t>(io.size()))
|
|
|
340e69 |
- memcpy(pos, base + offset, size);
|
|
|
340e69 |
- pos += size;
|
|
|
340e69 |
+ enforce(idxBuf + size < size_, kerCorruptedMetadata);
|
|
|
340e69 |
+ if (size!=0 && offset + size <= static_cast<uint32_t>(io.size()))
|
|
|
340e69 |
+ memcpy(&buf.pData_[idxBuf], base + offset, size);
|
|
|
340e69 |
+ idxBuf += size;
|
|
|
340e69 |
}
|
|
|
340e69 |
dataValue.setDataArea(buf.pData_, buf.size_);
|
|
|
340e69 |
}
|