From 3d8d1f13dce7150a44c3f8a222fb55e0f1163d0a Mon Sep 17 00:00:00 2001 From: cristy Date: Wed, 29 Feb 2012 01:59:28 +0000 Subject: [PATCH] --- MagickCore/profile.c | 10 ++++++---- MagickCore/property.c | 23 ++++++++++++++--------- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/MagickCore/profile.c b/MagickCore/profile.c index d2b35920f..a046c708a 100644 --- a/MagickCore/profile.c +++ b/MagickCore/profile.c @@ -6658,7 +6658,7 @@ MagickPrivate MagickBooleanType SyncImageProfiles(Image *image) This the offset to the first IFD. */ offset=(ssize_t) ((int) ReadProfileLong(endian,exif+4)); - if (offset >= length) + if ((size_t) offset >= length) return(MagickFalse); directory=exif+offset; level=0; @@ -6709,8 +6709,10 @@ MagickPrivate MagickBooleanType SyncImageProfiles(Image *image) The directory entry contains an offset. */ offset=(ssize_t) ((int) ReadProfileLong(endian,q+8)); - if ((offset+number_bytes) > length) + if ((size_t) (offset+number_bytes) > length) continue; + if (~length < number_bytes) + continue; /* prevent overflow */ p=(unsigned char *) (exif+offset); } switch (tag_value) @@ -6747,7 +6749,7 @@ MagickPrivate MagickBooleanType SyncImageProfiles(Image *image) offset; offset=(ssize_t) ((int) ReadProfileLong(endian,p)); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=directory; entry++; @@ -6760,7 +6762,7 @@ MagickPrivate MagickBooleanType SyncImageProfiles(Image *image) break; offset=(ssize_t) ((int) ReadProfileLong(endian,directory+2+(12* number_entries))); - if ((offset != 0) && (offset < length) && + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; diff --git a/MagickCore/property.c b/MagickCore/property.c index 4d7141bc1..07e201a4e 100644 --- a/MagickCore/property.c +++ b/MagickCore/property.c @@ -802,7 +802,9 @@ static MagickBooleanType GetEXIFProperty(const Image *image, *directory; size_t - entry, + entry; + + ssize_t offset; } DirectoryInfo; @@ -1114,7 +1116,6 @@ static MagickBooleanType GetEXIFProperty(const Image *image, entry, length, number_entries, - tag_offset, tag; SplayTreeInfo @@ -1125,6 +1126,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image, id, level, offset, + tag_offset, tag_value; static int @@ -1319,6 +1321,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8)); if ((size_t) (offset+number_bytes) > length) continue; + if (~length < number_bytes) + continue; /* prevent overflow */ p=(unsigned char *) (exif+offset); } if ((all != 0) || (tag == (size_t) tag_value)) @@ -1469,16 +1473,17 @@ static MagickBooleanType GetEXIFProperty(const Image *image, if ((tag_value == TAG_EXIF_OFFSET) || (tag_value == TAG_INTEROP_OFFSET) || (tag_value == TAG_GPS_OFFSET)) { - size_t + ssize_t offset; - offset=(size_t) ((int) ReadPropertyLong(endian,p)); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + offset=(ssize_t) ((int) ReadPropertyLong(endian,p)); + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { - size_t + ssize_t tag_offset1; - tag_offset1=(tag_value == TAG_GPS_OFFSET) ? 0x10000UL : 0UL; + tag_offset1=(ssize_t) ((tag_value == TAG_GPS_OFFSET) ? 0x10000 : + 0); directory_stack[level].directory=directory; entry++; directory_stack[level].entry=entry; @@ -1490,9 +1495,9 @@ static MagickBooleanType GetEXIFProperty(const Image *image, level++; if ((directory+2+(12*number_entries)) > (exif+length)) break; - offset=(size_t) ((int) ReadPropertyLong(endian,directory+2+(12* + offset=(ssize_t) ((int) ReadPropertyLong(endian,directory+2+(12* number_entries))); - if ((offset != 0) && (offset < length) && + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; -- 2.40.0