Skip to content

Commit

Permalink
fix check whether Exif IFD table fits within given memory area
Browse files Browse the repository at this point in the history
  • Loading branch information
@farindk
farindk committed Aug 3, 2024
1 parent dc2e421 commit e7c5649
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions libheif/exif.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,13 +99,15 @@ static uint32_t find_exif_tag(const uint8_t* exif, uint32_t size, uint16_t query

uint16_t cnt = read16(exif, size, offset, littleEndian);

// Does the IFD table fit into our memory range? We need this to prevent an underflow in the following statement.
if (2U + cnt * 12U > size) {
// Does the IFD table fit into our memory range? We need this check to prevent an underflow in the following statement.
uint32_t IFD_table_size = 2U + cnt * 12U;
if (IFD_table_size > size) {
return 0;
}

// end of IFD table would exceed the end of the EXIF data
if (size - 2U - cnt * 12U > offset) {
// offset + IFD_table_size > size ?
if (size - IFD_table_size < offset) {
return 0;
}

Expand Down

0 comments on commit e7c5649

Please sign in to comment.