jpeg: Check for integer overflows in app1 EXIF tags
In jpeg_parse_exif_app1(), we would usually read offsets this way:
/* read out the offset pointer to IFD0 */
offset = de_get32(&marker->data[i] + 4, endian);
i = i + offset;
"i" is then used to peek into the buffer and read bytes.
tags = de_get16(&marker->data[i], endian);
i = i + 2;
But as the addition may overflow, we need to check whether the result of
the addition would overflow and wrap-around.
https://bugzilla.gnome.org/show_bug.cgi?id=775218
parent
ca523901
Please register or sign in to comment