xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent an out of bounds read in strstr in JpegBase::printStructure

Browse Source 
The xmp byte array is not necessarily null terminated => strstr can read beyond
the bounds of the allocated array then.
Therefore use string_from_unterminated to remedy this issue.
Also replace xmp with a std::vector, as stl functions can throw and we don't
want a memory leak.
v0.27.3
Dan Čermák 7 years ago
parent 510560bbd1
commit b51b6fc52d
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File

12
src/jpgimage.cpp
Unescape Escape View File

@ -658,8 +658,8 @@ namespace Exiv2 {
// extract XMP
if (size > 0) {
io_->seek(-bufRead, BasicIo::cur);
byte* xmp = new byte[size + 1];
io_->read(xmp, size);
std::vector<byte> xmp(size + 1);
io_->read(xmp.data(), size);
int start = 0;
// http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/xmp/pdfs/XMPSpecificationPart3.pdf
@ -670,10 +670,11 @@ namespace Exiv2 {
// and dumping the XMP in a post read operation similar to kpsIptcErase
// for the moment, dumping 'on the fly' is working fine
if (!bExtXMP) {
while (xmp[start])
while (xmp.at(start))
start++;
start++;
if (::strstr((char*)xmp + start, "HasExtendedXMP")) {
std::string xmp_from_start = string_from_unterminated((char*)&xmp.at(start), size - start);
if (xmp_from_start.find("HasExtendedXMP", start) != xmp_from_start.npos) {
start = size; // ignore this packet, we'll get on the next time around
bExtXMP = true;
}
@ -681,8 +682,7 @@ namespace Exiv2 {
start = 2 + 35 + 32 + 4 + 4; // Adobe Spec, p19
}
out.write((const char*)(xmp + start), size - start);
delete[] xmp;
out.write((const char*)(&xmp.at(start)), size - start);
bufRead = size;
done = !bExtXMP;
}

Write Preview
Loading…
Cancel
Save