Bug 105205 - fix a buffer overflow in the TIFF parser

author: Hubert Figuière <hub@figuiere.net> 2018-02-25 14:01:52 -0500
committer: Hubert Figuière <hub@figuiere.net> 2018-02-25 14:01:52 -0500
commit: e163667a06a9b656a047b0ec660b871f29a83c9f (patch)
tree: ac97112c70e4cca8244ffb66880b8049310f45a0
parent: 6cbd34025e5fd3ba47b29b602096e456507ce83b (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/XMPFiles/source/FileHandlers/TIFF_Handler.cpp b/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
index a09b879..37e4ab1 100644
--- a/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
+++ b/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
@@ -235,8 +235,9 @@ void TIFF_MetaHandler::ProcessXMP()
 			// zero padding for the IPTC digest. If the full digest differs, recheck without the padding.
 
 			iptcDigestState = PhotoDataUtils::CheckIPTCDigest ( iptcInfo.dataPtr, iptcInfo.dataLen, digestInfo.dataPtr );
-
-			if ( (iptcDigestState == kDigestDiffers) && (kTIFF_TypeSizes[iptcInfo.type] > 1) ) {
+			// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105205
+			// if iptcInfo.dataLen is 0, then there is no digest.
+			if ( (iptcDigestState == kDigestDiffers) && (kTIFF_TypeSizes[iptcInfo.type] > 1) && iptcInfo.dataLen > 0 ) {
 				XMP_Uns8 * endPtr = (XMP_Uns8*)iptcInfo.dataPtr + iptcInfo.dataLen - 1;
 				XMP_Uns8 * minPtr = endPtr - kTIFF_TypeSizes[iptcInfo.type] + 1;
 				while ( (endPtr >= minPtr) && (*endPtr == 0) ) --endPtr;
author	Hubert Figuière <hub@figuiere.net>	2018-02-25 14:01:52 -0500
committer	Hubert Figuière <hub@figuiere.net>	2018-02-25 14:01:52 -0500
commit	e163667a06a9b656a047b0ec660b871f29a83c9f (patch)
tree	ac97112c70e4cca8244ffb66880b8049310f45a0
parent	6cbd34025e5fd3ba47b29b602096e456507ce83b (diff)