diff options
Diffstat (limited to 'XMPFiles/source/FormatSupport')
| -rw-r--r-- | XMPFiles/source/FormatSupport/ReconcileTIFF.cpp | 2 | ||||
| -rw-r--r-- | XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp | 10 | ||||
| -rw-r--r-- | XMPFiles/source/FormatSupport/TIFF_Support.hpp | 8 |
3 files changed, 15 insertions, 5 deletions
diff --git a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp index aa4aea6..7e89b0e 100644 --- a/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp +++ b/XMPFiles/source/FormatSupport/ReconcileTIFF.cpp @@ -233,7 +233,7 @@ static XMP_Uns32 GatherInt ( const char * strPtr, size_t count ) static size_t TrimTrailingSpaces ( char * firstChar, size_t origLen ) { - if ( origLen == 0 ) return 0; + if ( !firstChar || origLen == 0 ) return 0; char * lastChar = firstChar + origLen - 1; if ( (*lastChar != ' ') && (*lastChar != 0) ) return origLen; // Nothing to do. diff --git a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp index ea1b686..fcf9e43 100644 --- a/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp +++ b/XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp @@ -70,7 +70,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) } else if ( thisTag == prevTag ) { // Duplicate tag, keep the 2nd copy, move the tail of the array up, prevTag is unchanged. - memcpy ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // AUDIT: Safe, moving tail forward, i >= 1. + memmove ( &ifdEntries[i-1], &ifdEntries[i], 12*(tagCount-i) ); // may overlap -- Hub --tagCount; --i; // ! Don't move forward in the array, we've moved the unseen part up. @@ -86,7 +86,7 @@ void TIFF_MemoryReader::SortIFD ( TweakedIFDInfo* thisIFD ) // Out of order duplicate, move it to position j, move the tail of the array up. ifdEntries[j] = ifdEntries[i]; - memcpy ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // AUDIT: Safe, moving tail forward, i >= 1. + memmove ( &ifdEntries[i], &ifdEntries[i+1], 12*(tagCount-(i+1)) ); // may overlap -- Hub --tagCount; --i; // ! Don't move forward in the array, we've moved the unseen part up. @@ -232,7 +232,11 @@ bool TIFF_MemoryReader::GetTag ( XMP_Uns8 ifd, XMP_Uns16 id, TagInfo* info ) con info->dataLen = thisBytes; info->dataPtr = this->GetDataPtr ( thisTag ); - + // Here we know that if it is NULL, it is wrong. -- Hub + // GetDataPtr will return NULL in case of overflow. + if (info->dataPtr == NULL) { + return false; + } } return true; diff --git a/XMPFiles/source/FormatSupport/TIFF_Support.hpp b/XMPFiles/source/FormatSupport/TIFF_Support.hpp index d4e2f4d..e3e458b 100644 --- a/XMPFiles/source/FormatSupport/TIFF_Support.hpp +++ b/XMPFiles/source/FormatSupport/TIFF_Support.hpp @@ -786,7 +786,13 @@ private: { if ( GetUns32AsIs(&tifdEntry->bytes) <= 4 ) { return &tifdEntry->dataOrPos; } else { - return (this->tiffStream + GetUns32AsIs(&tifdEntry->dataOrPos)); + XMP_Uns32 pos = GetUns32AsIs(&tifdEntry->dataOrPos); + if (pos + GetUns32AsIs (&tifdEntry->bytes) > this->tiffLength) { + // Invalid file. + // The data is past the length of the TIFF. + return NULL; + } + return (this->tiffStream + pos); } } |