Check for buffer overflow

author Cristy <urban-warrior@imagemagick.org>

Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)

committer Cristy <urban-warrior@imagemagick.org>

Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)
author Cristy <urban-warrior@imagemagick.org>
Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)
committer Cristy <urban-warrior@imagemagick.org>
Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)
diff --git a/MagickCore/property.c b/MagickCore/property.c

index 8e6bfa3fc2f9c04ea4b6749c8635549063c09272..bd0d98744025347658cf3046f75867d734248cd8 100644 (file)
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -1475,6 +1475,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
              buffer[MagickPathExtent],
              *value;
  
+          if ((p < exif) || (p > (exif+length-tag_bytes[format])))
+            break;
            value=(char *) NULL;
            *buffer='\0';
            switch (format)
@@ -1536,9 +1538,11 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
                EXIFMultipleValues(8,"%f",*(double *) p1);
                break;
              }
-            default:
              case EXIF_FMT_STRING:
+            default:
              {
+              if ((p < exif) || (p > (exif+length-number_bytes)))
+                break;
                value=(char *) NULL;
                if (~((size_t) number_bytes) >= 1)
                  value=(char *) AcquireQuantumMemory((size_t) number_bytes+1UL,
author	Cristy <urban-warrior@imagemagick.org>
	Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)
committer	Cristy <urban-warrior@imagemagick.org>
	Mon, 24 Jun 2019 01:00:35 +0000 (21:00 -0400)