From d3d2d4c023ec48cf51c4f0c332e3440842fdaa0f Mon Sep 17 00:00:00 2001
From: Andreas Huggel <ahuggel@gmx.net>
Date: Sun, 2 Jul 2006 12:19:17 +0000
Subject: [PATCH] Added boundary check for next IFD to Ifd::read, fixes bug
 #479.

---
 src/ifd.cpp                 |  16 +++++++++++++++-
 test/bugfixes-test.sh       |   4 ++++
 test/data/bugfixes-test.out |  25 +++++++++++++++++++++++++
 test/data/exiv2-bug479.jpg  | Bin 0 -> 5581 bytes
 4 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 test/data/exiv2-bug479.jpg

diff --git a/src/ifd.cpp b/src/ifd.cpp
index 91671fbf..0cc9bd85 100644
--- a/src/ifd.cpp
+++ b/src/ifd.cpp
@@ -318,7 +318,13 @@ namespace Exiv2 {
         long o = start;
         Ifd::PreEntries preEntries;
 
-        if (len < o + 2) rc = 6;
+        if (o < 0 || len < o + 2) {
+#ifndef SUPPRESS_WARNINGS
+            std::cerr << "Error: " << ExifTags::ifdName(ifdId_)
+                      << " lies outside of the IFD memory buffer.\n";
+#endif
+            rc = 6;
+        }
         if (rc == 0) {
             offset_ = start - shift;
             int n = getUShort(buf + o, byteOrder);
@@ -362,6 +368,14 @@ namespace Exiv2 {
                     pNext_ = const_cast<byte*>(buf + o);
                 }
                 next_ = getULong(buf + o, byteOrder);
+                if (   static_cast<long>(next_) + shift < 0 
+                    || static_cast<long>(next_) + shift >= len) {
+#ifndef SUPPRESS_WARNINGS
+                    std::cerr << "Warning: " << ExifTags::ifdName(ifdId_)
+                              << ": Pointer to next IFD is out of bounds; ignored.\n";
+#endif
+                    next_ = 0;
+                }
             }
         }
         // Set the offset of the first data entry outside of the IFD.
diff --git a/test/bugfixes-test.sh b/test/bugfixes-test.sh
index ded56620..b52b7ebe 100755
--- a/test/bugfixes-test.sh
+++ b/test/bugfixes-test.sh
@@ -54,6 +54,10 @@ num=447 # Problem only visible in Valgrind
 filename=`prep_file $num`
 $binpath/exiv2 -pi $filename
 
+num=479
+filename=`prep_file $num`
+$binpath/exiv2 -pt $filename
+
 ) > $results 2>&1
 
 if [ x`which unix2dos.exe` != x ]; then
diff --git a/test/data/bugfixes-test.out b/test/data/bugfixes-test.out
index 5a9eafd0..ca368b85 100644
--- a/test/data/bugfixes-test.out
+++ b/test/data/bugfixes-test.out
@@ -210,3 +210,28 @@ Warning: Exif tag 0x9286 has invalid Exif type 14; using 7 (undefined).
 Iptc.Application2.Caption                    String      0  
 Iptc.Application2.DateCreated                Date        8  2005-08-09
 Iptc.Application2.TimeCreated                Time       11  01:28:31-07:00
+------> Bug 479 <-------
+Warning: IFD0: Pointer to next IFD is out of bounds; ignored.
+Exif.Image.ImageWidth                        Short       1  3173
+Exif.Image.ImageLength                       Short       1  2011
+Exif.Image.Software                          Ascii      10  LightZone
+Exif.Image.0x013c                            Ascii      20  Linux 2.6.15-23-686
+Exif.Image.0x829a                            Rational    1  16/5
+Exif.Image.0x829d                            Rational    1  9/1
+Exif.Image.ExifTag                           Long        1  784
+Exif.Image.0x8822                            Short       1  1
+Exif.Image.0x8827                            Short       1  250
+Exif.Image.0x9000                            Undefined   4  48 50 50 49 
+Exif.Image.0x9003                            Ascii      20  2006:05:27 12:37:03
+Exif.Image.0x9004                            Ascii      20  2006:05:27 12:37:03
+Exif.Image.0x9101                            Undefined   4  0 0 0 0 
+Exif.Image.0x9201                            SRational   1  -54987/32768
+Exif.Image.0x9202                            Rational    1  1623/256
+Exif.Image.0x9204                            SRational   1  0/1
+Exif.Image.0x9207                            Short       1  5
+Exif.Image.0x9209                            Short       1  16
+Exif.Image.0x920a                            Rational    1  24/1
+Exif.Image.0x9286                            Undefined 264  (Binary value suppressed)
+Exif.Photo.ExifVersion                       Undefined   4  48 50 50 48 
+Exif.Photo.PixelXDimension                   Short       1  3173
+Exif.Photo.PixelYDimension                   Short       1  2011
diff --git a/test/data/exiv2-bug479.jpg b/test/data/exiv2-bug479.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..16743da0f17ab5543a2ea24a073c61308846205c
GIT binary patch
literal 5581
zcmeHmc|6o#^!|Iy*k#GSW#1WN#+Id$od#nk3S$Y`qiiW@NM@{q>^ozN%2u|FJyDbt
z6<NweB>VaupO)W0zkj~}f6sfl&pr3K&pG$J&OMqqng*DS^bGX?5C{YqkRRY^27F%k
zhNn9KAd!GH001-q8wdcvWCUVxBmY3ZG4&)FD*zN^KOGrGgEaobY-F4eodr-H^T}^P
zbnZV~5$g#+e*3}9al*fKj#+UMfAB5<Bmn?5nFE2r;R;FMf0}hkkbk&48T6Y&<^d_7
z<M{u@nn<De7i&5N^3VS*h5C;^Ija=fKbV<}>HhIoQ!vMxAR6+wUGO&t1sJU0&v}m{
z6j1!$d!mkv!M`!BAOI9G{?!2kMNI!NO%d~-SmY{|{M8{RTk=QeShM7h4%rQqQ2pT_
zPsnz`)8ooDdp}<{GV%?+Aqa;mLlu<d;0QToRpny>`3(O>qa}|ZI1Hw&22)als|YH<
z)etIbFa+@b^Bo;YDFMJO@)jza{|ZM&WFzMSaQzvN=l^Hmq+8@7s006R{M#3BIP7mP
z9N&q*y>NUdj_qg?&<3a=lvI=uDk@4UYHBJPI%YaLT3R|bMkWSkPBtzsPBsn>9)2+a
z9$pbX4h}(CK@o8YDQPKg0XdkQBuq?FO7d6)L`_XiM?=R-N5?A3!@(o@zqX@JfQ1IQ
z2&98S!T<#e2+RUH>IV1#fCBuxAActdP*Q;*)BuQrhP<l53{Ze5AP@=~2!x7EBew<x
z7{UTjo)n^DRnS5?Q?m&N+)gg67lEID&0+q0m0c9!5;!A{9{ow)%>z2tKHl}$D8K-S
zTnqA=7z;o_0iq-`$iDv!L;<jXAt!|tw1ipN;3!JxfTIrp134%K3z!8s3yh$hKl>>}
zTbd5sozrgXq^1C!S_z>cMw#(2&ObvBT7D(u8<<%qj7St$>AR%r)VwQfJOVCG>s~`~
zs#z+=66tT=f6SRJlohWhFkkX?>M;HD52g|7AnpX|;h2wFf|K(bji+}D=zVa{2sZFi
z1CpU$YX(V;0lM&HeT`sPEbt>mGqJC}dvqb%Lz3@F#^#eBRDuNAS8d5T;(bOb5n)dB
z+mM(ZjUVw6`V+>qi{%yD!8^`(ZcD?*(o8`mrD2)2@~3Ah*RwY|KGSJvXInr^bnzt=
z#0eR{JZk@qz^r0+q$nN>8{@nF*lTOn1%175sPt<^Pw%RQa?6{dw}1~%uGrnivkbyS
zcE<|@29%*}&1<7i+t-IHgs-+%(?Q<c;-;u~dYWjQ&$M`#U+kibR?}7Qu_zvl9#M}m
z`2qBiv|i`r&E}Xvnvcsz0Q++v!9u2G@c4G2CXbi6^4Q$<-X6j0;Cn{jn7;SXia73s
zwQWDnbW?hh)Tj6=Py3d&?nl$^Yg;bSgjHo?8iD^sVyj3`7Y(cY5LD{jmC~uq{lvYS
z6H(EG<iXQIv8aSQ82GGRX0HPagNH>^21bbhs=%JdvzE_^I1zWEu7-}R*#;aMo6I}7
z4kEN!A+GOCdViE0MAY5XvAdTJe+Zg_AGG2SgZAm7GBC(hEmfz1AdB-uv<t;c-$JPQ
zmab|Q)4(*il`eq5{KI8^PWVXG2l%z0!?8PI@O%YaPu)2$Bqn0+t1;fmD#JwsrbiKJ
z2t4-nH%?reHO`c~s=Zoy-A`iW*Y{t<COY%39Hopnf^bTam8@|AddAs5Vx>{NdD5Rj
zGY(u2*@YA4-GgDzDuaZYMYpIAhsD+(<QN;8B6X26A_Lcxs{G0eJ`a7K$AV+5#a_Pl
zh)<J|qUcYjuHC#Wi}<P`kny$ulx4YH2xv(eT=0u`$624{>XxIPaEfXs6Q%o`?ktCK
zvnG-Bxk%dHQe}taG1=-Dd>5bs&%$FPTr`kr)~?(euG}$31^pv5+QDw^pO&8m_Z)H$
zJs$i}vG`2_{~7=}d=$C-4HkOs`^A)#Kf6P!Q_{x8_=K$Onke3d@c#&Bkp0Q%r=P|V
zD{t_rvFDV(3Tg^`|9zU$we>aK419Vm%CoXG*(`svLc*;J4>hzn5oT)dnM2iL-gBFO
z7o4!2Z1L?0{Q21>O;|(+hWq|aO_Mxl&6T$HOuG$k5-3Z}^D5O+oY5rX>3k6-g9593
zJog(PH_qLiS!8j+AQECuEJe*)*}y$nBq0|Y8apnZ<-5dhG%Mhk`K*0tXZl7>+)u7m
z*<pE~;jQK9h8;&Slc>xiAl6jA@>jODEZUHhMA?H8FBw2dqeD+O&~dQ}$U+~=eCEAq
z8Ly6ax$-{54($I?(M_8jt4+G}%r6EiH3Pj2FPEV!@O1|KjsStl6L*xV>5F)7OeZXt
z;yNZdzNi(RwAR7C^6|g9J%9K@#GV`K%GOeI=~Ch8`by{rZjK|sd%8`4W8CN`k*TV$
zV$z~;Vt*AK-+U=ifv{1joPwY9fOuJ-(X83%`N6U7BkKJ<IJKCuf@5|h9NW>J-e(A3
z41_Ld5Y5WMM;TrmTzDRul{H|QoMxvHR|gy%HcKHbO5<b-Gu%5I;Lrf1Vp^z@yR*TV
zXl3Q2XRN*-?y%gMa_d?h?-3oEk%2fD;ZJ^u6SQl!DbItEu2miZSG-V{bu3DTkg(RP
z!7MH9>hy2kB6Ne3&(}>PH}|2lw87?>^P;WD3kZ#@YWw+fu65stk?p(@{@(I0NHf!^
zaGZm1hP{!=xCrWVL$B1FMNf|VPohbueubAFscpFlg$+v@(@vM;tP&Z`j1l9yO;Eh0
z_34xCqUWQVXVbsf<3ck{3vo1t=nR#YLi=`F%vJP@)KvmE1%f<E2d0Q=Z;Zqbt`rzm
zt!kb@Gp4awhDM&PM2%T!8AJ(BgaeyY2QWlj;8c6QbQPXZD97ji!ORX>6BU)W-DX`C
z+5kHO;=YK@Pa#Zu{9l?nS`*C5vk4h?O+o%)dpKEZfBo%KmZ!4pN}{*$E_?-`Z^&BH
z?&XNknE^43ZE2bIkaj@RrEUQcY+$Za^^434)KJUDJ2T$Q5q%dtdS7OIA=zW6hEgT_
zg(`CeqtoFpztGnGKn`<}nonX>PuXWgOQN8|XhA@IiFktB_o8W<zU;M<R-CWHp;H@1
zLBO~@DH098dSBvZkj@7WC*Sza^<N?#-h1_iW$r$0&%ID10r82@0UH=jvTP&Hv2#<)
z%<pRi=NBkjKjxxsD1qi4H}(bZB6XnB4q9~DS?MzC{FhMI)Ssc)<tRz<@#V1-`yrdt
ztqYaN{y07P{b5peq-h^d{gr;NX5MB}`07Ijw;lYcO8ag~<Q!e$)BCvXmb|&7IXtY>
z6>%@sM!^Odr!44~u=hIHcyvKBzB|bBc1OV2cMOwZi({l|<@hUoNm@Y$k^x=K=pirL
z?(}7SAD!pzLPkc&um`tAtnrSu{;&6W+~bu~%5`sfIP!vL!jAwC&^Gw4L`Aw<7U@GQ
z%zhBNlp%Z&KDkNs;J4`^wm`GOcc+T+lmil0O@8W3HFdXdfu6@ubGU~(NMWw6C%qWK
zh|>*mbR7Yelj}rA=ibv+8gOlPrHky=bPyx9Y@gjm&cm&)Vf}N?Wr%*p7E_Cv&)@Hl
zAbE{z(tPIM%v?K3Lsf(`ObhbT)irwjM*Vx>_)5p{_O69=+!<3tq%D~39$U2L#LH%5
zaV4cHE77Rv*!Pp}ev?cOegt!vrlzae7mh&L&k{zK-^`kD$Qp_xIQtjS4~7kofTV?o
z=|)8ogrpd>8yNNN+%CFqOjmy(e(PgXM`E5j_hf(y$|?Z;y33R*iVY#6%ZO=D1Ah?i
zOn$S`i|t!~8%6Ye;-%AYf`<xQZRypbvc(|k@5UGWphXd{V6>Y)m>5_zlbPEJ>b>3F
zde$n(%`(8^ElnuHqesncOO18UE1%upRKrZ%)+TP8DQ6xE(xeV&3_!1|N=jZSykv~j
zw5v0}q+LEAeXlE+rMrH2N=GKRe$OR?`BkH_9v)$mQ2iV*)5Si^%dO8T)a?8|u)zJ%
zCaqND(rvSgRBM$F9<^2$)e`#ewN(^1ZY?(LWAD~IB))CA>2~R*oC9BTB!Qhz;mrAo
z*im`jF*8&Ux7|sZwbyci-OTb)O?UU}mbkbl2`V;lUnRmzuQk%fpm!POk&Z|Fl7Z-L
z0_9T}Fv+FQWMSS_W>^}M#+zIozB6k&t#NSUj&!<x`MmYilVsrudS8Ci#PCo)xt|M$
z(2H5*t4-u$wrasS6~8y!oeEW15a0_=wgVYZ)-tb0kv@0(w>m5+P$ezNH5~!X9g871
zj(|G^N6>3Iqh1!C57-8WeGJ{M$c!|p-cHj}9tnn6h)~c&tLjeeF`Nn09e}qiKH9*g
zi{bf8-}|A<-ZhzI)`dh02;Eipb)BLoTAA<WIwFP2OT;3Z#Fxqm0`x11MV0WUVL3R5
zR?(|9Co;^JOkHlO&#Di4IiE(O2%^uQrtX(Boz{)2cDq9QG?8ffbewuQ3dh`%T>Zoy
zVQ$aWYh#pjR??tqxxc70ue7y3@oSF0MP7htN({DQ+Sfs?7_!K3a;WM5cF{sz(awC{
zzoDv%W6e{&k9{{HEMgUl@5Q90E)9WN`1gM%BJT1!%>~|Ie!Re{TWTtQ{s{Qaui>vR
zTvk2wpfnrLFRXMwv+qd+)#P-D>G_>fyIa{kr<T6Y%p3tXf@)KB>Bh{ubONApUG!U1
zd#wlCJsmCQeg+M@<v&kx`%+fF!xndqLx*DgTLI%&Zzc`*p8*&4Q8^7(IxM0J4TTB!
zznM;Lbx&C&EohiNV5_ag;L>4sg3{+Cy0;r8Emrs6E6EJMHT%FO+j)cW-C``pG50-;
zKK(37<GJh!r?kqDrM|5`=QDRS%G1+SlvK`E@y9tF0cKlWITF&V5gY7^Pu8rANR~2&
zB?2d6J0KbNe_ginYI?C~)>>T}oI)MYeCh^%5$oMTsm04*v(oeUT(JoLf(i?~pJvhq
zy}F1=PQ5}+IPD8%@>LxYNs4_T41ETFaH69Yk#F=iLaXN&%0gd9I9mK`;FpxSl(wrr
zV<#HcbidOn3AaX*<Y(Ris$B&Qk&tT<Bet<WgXPaPemb<~-G_ZduzR1Z!g=8M%0>c7
zs-7-`gmDG$Ck<4~v*DM6R{IL3<8fjy572SmJd#OK#dP*B!&!pnG&B^#V-N{M6+#Lv
z%8rfW<oejO#;S>lNO^f}di+zjlIny-xBQ7M-gS}TZTX3Qu3LgWn;bJY1qM{TTx~r=
z-_psBs-NUJpvEuHU>H_3aR#SY@#nO|jVw3(PUVJl@`RNTVvO19hV`cUr(in?dMhYs
zDGLEy_(pkaM&Gg%waK3(sr}xM_3ivl#NFw5PcCqYX0^}Q-pbvC7aBD~ztRYmx3p;!
z)B39ocvGVm<0?ff@8L=Xp>vgp!~#{YRi61&m7#d;4EkXCF6ZEvR%Y825sienVEXii
z#LS*=%~=t7_wH({4V5<3mJ5Hf)hqeJ;~K7R3CDe)J_2kvhnkc5xYkI4v1Ki|qR394
zt?mnU(A^~NQ*M{fc;}8}xpQFWG`Zeeh5-4pRzs@Mn6!_T$@x3Zn<Ha>wTS&s_UW}5
z?{eqU1cv55eQeLHF~On~1I|~Ew$N2l{xH?T&gx*-7v=z@N^F~;oJ4he7_Edg@c1;X
z_oYv&>E)w&uERQ^>~hb%)9Uw}^sI;t!iu+1=97;VNZ~Vi8FxL=(Hj(YZf%?I1CsMi
z?_ud<Kx<TIQhy~~YcxDh-0>wY-y^AJ-+R1YTZGAvO;M~#=z7TIg4~@*KJfoV%#k-C
zjqaAX06x{Vb31&h?x@T!*qJ10DH_5nosaQ{6D}U+^f4qZZEJV=lrZ@b5+SiVQ0l>n
zCx&AEJD2&f7-uW%^9{un_dPi4oWl6)Cq#1ZHC#N&X4^(=Bxv*D^dF-;-Z8vaH2Bn{
zOV=c2iS=m~dpOn!j>#$1Hc!$wGu*yLZ2d8ip<R$1sq$;eY4yawP<4>h`duAOM^edx
z98zJlI(ociJIVu)EYDWJWaw&Hro&VDg})kQ?>+RZRct>CDjrJ48)X`^IKM-#{Oa}V
zd|l-lG}N_5708wEzsDz3jTQ}+#2Mi1*cG`Wr9}<ceO?8hah+x=eJUwqBUedxGSsZL
z<AgHD8OJj>oCblw;1zHCZR^>Al9a0SA4WosB3-i)Zlm?5weHO8*0K(X7KciHh49-~
zNBCeVFm<8^+Q7&%?~Rb&C@UW51-x{D$>VQKpT>Ee4lgY^#V=h)ZF2e6Tv=fW(Rp>{
z`%5KNAX#X0a`50xret92GxfPzXG0+SSCHcEa9nKLuCwDkHIRA`u<bO@miT>O`BXUt
z_UUb`_2Im1U-a5HX+<$sK<(pX6rx?G-8948Q(>&E;Hm*<)9`j+o=vtyZmG*l-aU!t
zPRY(>S13rxZ>*h@5ZI*0VkU02h!Fp(hcH658l80GAKz0M@0*F&U`dx%h#xqo1gF<i
z%Y4_em0zYPJ?aWC-ZQWzSiDN4M<WKsQ}Q+D&(EXb>@pMgXHEFE=R0j)bM&@kSwXHa
zrwlQ2uO-xt9J*YmzfeA9yUhR@V6neJq>r9V#PK066LVb>-(!){xI26W-l=@K4tN>l
ztU`40TH1l~@><W+IQB)Fx_u<>2&lNG%1t#oq;Ey>$woC!UG~1aPyY&5DyPySoNm59
gSPPNS><+N}=tF;q@_f_y)kK{UbgRH=<mmnX0KyjeiU0rr

literal 0
HcmV?d00001