28 lines
923 B
Diff
28 lines
923 B
Diff
|
From: Ludovic Rousseau <rousseau@debian.org>
|
||
|
Date: Wed Sep 5 15:32:00 CEST 2018
|
||
|
Subject: Fix heap buffer overflow
|
||
|
|
||
|
Bug-Debian: http://bugs.debian.org/907925
|
||
|
Description: Fix CVE-2018-17088
|
||
|
|
||
|
--- gpsinfo.c
|
||
|
+++ gpsinfo.c
|
||
|
@@ -4,6 +4,7 @@
|
||
|
// Matthias Wandel, Dec 1999 - Dec 2002
|
||
|
//--------------------------------------------------------------------------
|
||
|
#include "jhead.h"
|
||
|
+#include <stdint.h>
|
||
|
|
||
|
#define MAX_GPS_TAG 0x1e
|
||
|
|
||
|
@@ -101,7 +102,7 @@
|
||
|
unsigned OffsetVal;
|
||
|
OffsetVal = Get32u(DirEntry+8);
|
||
|
// If its bigger than 4 bytes, the dir entry contains an offset.
|
||
|
- if (OffsetVal+ByteCount > ExifLength){
|
||
|
+ if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
|
||
|
// Bogus pointer offset and / or bytecount value
|
||
|
ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0);
|
||
|
continue;
|
||
|
|