jpeg: Check for integer overflows in app1 EXIF tags
In jpeg_parse_exif_app1(), we would usually read offsets this way: /* read out the offset pointer to IFD0 */ offset = de_get32(&marker->data[i] + 4, endian); i = i + offset; "i" is then used to peek into the buffer and read bytes. tags = de_get16(&marker->data[i], endian); i = i + 2; But as the addition may overflow, we need to check whether the result of the addition would overflow and wrap-around. https://bugzilla.gnome.org/show_bug.cgi?id=775218
parent
ca523901
Please register or sign in to comment