Added boundary check for next IFD to Ifd::read, fixes bug #479.

src/ifd.cpp

@@ -318,7 +318,13 @@ namespace Exiv2 {
         long o = start;
         Ifd::PreEntries preEntries;
 
-        if (len < o + 2) rc = 6;
+        if (o < 0 || len < o + 2) {
+#ifndef SUPPRESS_WARNINGS
+            std::cerr << "Error: " << ExifTags::ifdName(ifdId_)
+                      << " lies outside of the IFD memory buffer.\n";
+#endif
+            rc = 6;
+        }
         if (rc == 0) {
             offset_ = start - shift;
             int n = getUShort(buf + o, byteOrder);
@@ -362,6 +368,14 @@ namespace Exiv2 {
                     pNext_ = const_cast<byte*>(buf + o);
                 }
                 next_ = getULong(buf + o, byteOrder);
+                if (   static_cast<long>(next_) + shift < 0 
+                    || static_cast<long>(next_) + shift >= len) {
+#ifndef SUPPRESS_WARNINGS
+                    std::cerr << "Warning: " << ExifTags::ifdName(ifdId_)
+                              << ": Pointer to next IFD is out of bounds; ignored.\n";
+#endif
+                    next_ = 0;
+                }
             }
         }
         // Set the offset of the first data entry outside of the IFD.

test/bugfixes-test.sh

@@ -54,6 +54,10 @@ num=447 # Problem only visible in Valgrind
 filename=`prep_file $num`
 $binpath/exiv2 -pi $filename
 
+num=479
+filename=`prep_file $num`
+$binpath/exiv2 -pt $filename
+
 ) > $results 2>&1
 
 if [ x`which unix2dos.exe` != x ]; then

test/data/bugfixes-test.out

@@ -210,3 +210,28 @@ Warning: Exif tag 0x9286 has invalid Exif type 14; using 7 (undefined).
 Iptc.Application2.Caption                    String      0  
 Iptc.Application2.DateCreated                Date        8  2005-08-09
 Iptc.Application2.TimeCreated                Time       11  01:28:31-07:00
+------> Bug 479 <-------
+Warning: IFD0: Pointer to next IFD is out of bounds; ignored.
+Exif.Image.ImageWidth                        Short       1  3173
+Exif.Image.ImageLength                       Short       1  2011
+Exif.Image.Software                          Ascii      10  LightZone
+Exif.Image.0x013c                            Ascii      20  Linux 2.6.15-23-686
+Exif.Image.0x829a                            Rational    1  16/5
+Exif.Image.0x829d                            Rational    1  9/1
+Exif.Image.ExifTag                           Long        1  784
+Exif.Image.0x8822                            Short       1  1
+Exif.Image.0x8827                            Short       1  250
+Exif.Image.0x9000                            Undefined   4  48 50 50 49 
+Exif.Image.0x9003                            Ascii      20  2006:05:27 12:37:03
+Exif.Image.0x9004                            Ascii      20  2006:05:27 12:37:03
+Exif.Image.0x9101                            Undefined   4  0 0 0 0 
+Exif.Image.0x9201                            SRational   1  -54987/32768
+Exif.Image.0x9202                            Rational    1  1623/256
+Exif.Image.0x9204                            SRational   1  0/1
+Exif.Image.0x9207                            Short       1  5
+Exif.Image.0x9209                            Short       1  16
+Exif.Image.0x920a                            Rational    1  24/1
+Exif.Image.0x9286                            Undefined 264  (Binary value suppressed)
+Exif.Photo.ExifVersion                       Undefined   4  48 50 50 48 
+Exif.Photo.PixelXDimension                   Short       1  3173
+Exif.Photo.PixelYDimension                   Short       1  2011