diff options
author | Hubert Figuière <hub@figuiere.net> | 2018-02-25 13:28:28 -0500 |
---|---|---|
committer | Hubert Figuière <hub@figuiere.net> | 2018-02-25 13:29:06 -0500 |
commit | 6cbd34025e5fd3ba47b29b602096e456507ce83b (patch) | |
tree | 366d27a0c56cead25681a7bec92c4a36feaf7646 | |
parent | baa4b8a02c1ffab9645d13f0bfb1c0d10d311a0c (diff) |
Bug 105204 - Fix a buffer overflow in PSD parser
-rw-r--r-- | XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp b/XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp index 12adc58..f8ab565 100644 --- a/XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp +++ b/XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp @@ -319,6 +319,12 @@ void PSIR_FileWriter::ParseFileResources ( XMP_IO* fileRef, XMP_Uns32 length ) XMP_Uns32 dataLen = XIO::ReadUns32_BE ( fileRef ); XMP_Uns32 dataTotal = ((dataLen + 1) & 0xFFFFFFFEUL); // Round up to an even total. + // See bug https://bugs.freedesktop.org/show_bug.cgi?id=105204 + // If dataLen is 0xffffffff, then dataTotal might be 0 + // and therefor make the CheckFileSpace test pass. + if (dataTotal < dataLen) { + break; + } if ( ! XIO::CheckFileSpace ( fileRef, dataTotal ) ) break; // Bad image resource. XMP_Int64 thisDataPos = fileRef->Offset(); |