xymp
/
exiv2
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dirLength == 0 can cause an infinite loop.

Browse Source
main
Kevin Backhouse 4 years ago
parent 093dca0281
commit caf08b229e
No known key found for this signature in database
GPG Key ID: 9DD01852EE40366E
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
src/image.cpp
Unescape Escape View File

@ -334,6 +334,8 @@ namespace Exiv2 {
throw Error(kerCorruptedMetadata); throw Error(kerCorruptedMetadata);
} }
uint16_t dirLength = byteSwap2(dir,0,bSwap); uint16_t dirLength = byteSwap2(dir,0,bSwap);
// Prevent infinite loops. (GHSA-m479-7frc-gqqg)
enforce(dirLength > 0, kerCorruptedMetadata);
if ( dirLength > 500 ) // tooBig if ( dirLength > 500 ) // tooBig
throw Error(kerTiffDirectoryTooLarge); throw Error(kerTiffDirectoryTooLarge);

Write Preview
Loading…
Cancel
Save