Attachment #138527 for bug #202351




        ExifData::const_iterator sizes;
        ExifKey key("Exif.Thumbnail.StripByteCounts");
        sizes = exifData.findKey(key);
        if (sizes == exifData.end()) return 1;

        uint32_t totalSize = 0;
        for (long i = 0; i < sizes->count(); ++i) {
            uint32_t size = sizes->toLong(i);
            if (size > 0xffffffff - totalSize) return 1;
            totalSize += sizes->toLong(i);
        }
        DataBuf stripsBuf(totalSize);

        ExifData::iterator stripOffsets;
        key = ExifKey("Exif.Thumbnail.StripOffsets");
        stripOffsets = exifData.findKey(key);
        if (stripOffsets == exifData.end()) return 1;
        if (stripOffsets->count() != sizes->count()) return 1;

        std::ostringstream os; // for the strip offsets
        uint32_t currentOffset = 0;
        uint32_t firstOffset = stripOffsets->toLong(0);
        uint32_t lastOffset = 0;
        uint32_t lastSize = 0;
        for (long i = 0; i < stripOffsets->count(); ++i) {
            uint32_t offset = stripOffsets->toLong(i);
            lastOffset = offset;
            uint32_t size = sizes->toLong(i);
            lastSize = size;
            if (   size > 0xffffffff - offset
                || static_cast(len) < offset + size) {
                return 2;
            }
            memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);
            os << currentOffset << " ";
            currentOffset += size;

        ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");
        ExifData::iterator format = exifData.findKey(key);
        if (format == exifData.end()) return 1;
        uint32_t offset = format->toLong();
        key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");
        ExifData::const_iterator length = exifData.findKey(key);
        if (length == exifData.end()) return 1;
        uint32_t size = length->toLong();
        if (   size > 0xffffffff - offset
            || static_cast(len) < offset + size) {
            return 2;
        }
        format->setDataArea(buf + offset, size);
        format->setValue("0");
        if (pIfd1) {

        if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());
        if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());
        if (pIfd1_)   add(pIfd1_->begin(),   pIfd1_->end(),   byteOrder());
        // Finally, read the thumbnail
        rc = readThumbnail();
        if (0 < rc) {
#ifndef SUPPRESS_WARNINGS
            std::cerr << "Warning: Failed to read thumbnail, rc = "
                      << rc << "\n";
#endif
        }

        return 0;
    } // ExifData::load

Return to bug 202351

Lines 215-224 namespace Exiv2 { Link Here

(-)exiv2-0.13/src/exif.cpp (-17 / +30 lines)
215	ExifData::const_iterator sizes;	215	ExifData::const_iterator sizes;
216	ExifKey key("Exif.Thumbnail.StripByteCounts");	216	ExifKey key("Exif.Thumbnail.StripByteCounts");
217	sizes = exifData.findKey(key);	217	sizes = exifData.findKey(key);
218	if (sizes == exifData.end()) return 2;	218	if (sizes == exifData.end()) return 1;
219		219
220	long totalSize = 0;	220	uint32_t totalSize = 0;
221	for (long i = 0; i < sizes->count(); ++i) {	221	for (long i = 0; i < sizes->count(); ++i) {
		222	uint32_t size = sizes->toLong(i);
		223	if (size > 0xffffffff - totalSize) return 1;
222	totalSize += sizes->toLong(i);	224	totalSize += sizes->toLong(i);
223	}	225	}
224	DataBuf stripsBuf(totalSize);	226	DataBuf stripsBuf(totalSize);
Lines 228-248 namespace Exiv2 { Link Here
228	ExifData::iterator stripOffsets;	230	ExifData::iterator stripOffsets;
229	key = ExifKey("Exif.Thumbnail.StripOffsets");	231	key = ExifKey("Exif.Thumbnail.StripOffsets");
230	stripOffsets = exifData.findKey(key);	232	stripOffsets = exifData.findKey(key);
231	if (stripOffsets == exifData.end()) return 2;	233	if (stripOffsets == exifData.end()) return 1;
232	if (stripOffsets->count() != sizes->count()) return 2;	234	if (stripOffsets->count() != sizes->count()) return 1;
233		235
234	std::ostringstream os; // for the strip offsets	236	std::ostringstream os; // for the strip offsets
235	long currentOffset = 0;	237	uint32_t currentOffset = 0;
236	long firstOffset = stripOffsets->toLong(0);	238	uint32_t firstOffset = stripOffsets->toLong(0);
237	long lastOffset = 0;	239	uint32_t lastOffset = 0;
238	long lastSize = 0;	240	uint32_t lastSize = 0;
239	for (long i = 0; i < stripOffsets->count(); ++i) {	241	for (long i = 0; i < stripOffsets->count(); ++i) {
240	long offset = stripOffsets->toLong(i);	242	uint32_t offset = stripOffsets->toLong(i);
241	lastOffset = offset;	243	lastOffset = offset;
242	long size = sizes->toLong(i);	244	uint32_t size = sizes->toLong(i);
243	lastSize = size;	245	lastSize = size;
244	if (len < offset + size) return 1;	246	if ( size > 0xffffffff - offset
245		247	\|\| static_cast(len) < offset + size) {
		248	return 2;
		249	}
246	memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);	250	memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);
247	os << currentOffset << " ";	251	os << currentOffset << " ";
248	currentOffset += size;	252	currentOffset += size;
Lines 303-314 namespace Exiv2 { Link Here
303	ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");	307	ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");
304	ExifData::iterator format = exifData.findKey(key);	308	ExifData::iterator format = exifData.findKey(key);
305	if (format == exifData.end()) return 1;	309	if (format == exifData.end()) return 1;
306	long offset = format->toLong();	310	uint32_t offset = format->toLong();
307	key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");	311	key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");
308	ExifData::const_iterator length = exifData.findKey(key);	312	ExifData::const_iterator length = exifData.findKey(key);
309	if (length == exifData.end()) return 1;	313	if (length == exifData.end()) return 1;
310	long size = length->toLong();	314	uint32_t size = length->toLong();
311	if (len < offset + size) return 2;	315	if ( size > 0xffffffff - offset
		316	\|\| static_cast(len) < offset + size) {
		317	return 2;
		318	}
312	format->setDataArea(buf + offset, size);	319	format->setDataArea(buf + offset, size);
313	format->setValue("0");	320	format->setValue("0");
314	if (pIfd1) {	321	if (pIfd1) {
Lines 595-602 namespace Exiv2 { Link Here
595	if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());	602	if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());
596	if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());	603	if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());
597	if (pIfd1_) add(pIfd1_->begin(), pIfd1_->end(), byteOrder());	604	if (pIfd1_) add(pIfd1_->begin(), pIfd1_->end(), byteOrder());
598	// Read the thumbnail (but don't worry whether it was successful or not)	605	// Finally, read the thumbnail
599	readThumbnail();	606	rc = readThumbnail();
		607	if (0 < rc) {
		608	#ifndef SUPPRESS_WARNINGS
		609	std::cerr << "Warning: Failed to read thumbnail, rc = "
		610	<< rc << "\n";
		611	#endif
		612	}
600		613
601	return 0;	614	return 0;
602	} // ExifData::load	615	} // ExifData::load