diff options
author | Hubert Figuière <hub@figuiere.net> | 2017-08-14 23:57:51 -0400 |
---|---|---|
committer | Hubert Figuière <hub@figuiere.net> | 2017-08-14 23:59:47 -0400 |
commit | 65a8492832b7335ffabd01f5f64d89dec757c260 (patch) | |
tree | d6840f518c61b8be68ce67a262d66dbb528e19be | |
parent | 7ab1ed70f72a1ccb257b2be264b3ed0c00a6f1d7 (diff) |
Bug 102151 - RIFF: fix an infinite loop cause by an overflow
-rw-r--r-- | XMPFiles/source/FormatSupport/RIFF.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/XMPFiles/source/FormatSupport/RIFF.cpp b/XMPFiles/source/FormatSupport/RIFF.cpp index 4d9a0c1..93a318c 100644 --- a/XMPFiles/source/FormatSupport/RIFF.cpp +++ b/XMPFiles/source/FormatSupport/RIFF.cpp @@ -167,7 +167,8 @@ Chunk::Chunk( ContainerChunk* parent, RIFF_MetaHandler* handler, bool skip, Chun this->oldPos = file->Offset(); this->id = XIO::ReadUns32_LE( file ); - this->oldSize = XIO::ReadUns32_LE( file ) + 8; + this->oldSize = XIO::ReadUns32_LE( file ); + this->oldSize += 8; // Make sure the size is within expected bounds. XMP_Int64 chunkEnd = this->oldPos + this->oldSize; |