From 55f0a0c08974b8b79ebfa7762b555a1704b25fb2 Mon Sep 17 00:00:00 2001
From: Alex Tutubalin <lexa@lexa.ru>
Date: Tue, 16 Jun 2020 13:17:00 +0300
Subject: [PATCH] possible buffer underrun in exif parser
---
src/metadata/cr3_parser.cpp | 2 +-
src/metadata/exif_gps.cpp | 13 +++++++++----
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/metadata/cr3_parser.cpp b/src/metadata/cr3_parser.cpp
index 33983e62..ee209bf3 100644
--- a/src/metadata/cr3_parser.cpp
+++ b/src/metadata/cr3_parser.cpp
@@ -83,7 +83,7 @@ void LibRaw::selectCRXTrack(short maxTrack)
int tiff_idx = -1;
INT64 tpixels = 0;
- for (int i = 0; i < tiff_nifds; i++)
+ for (int i = 0; i < tiff_nifds && i < LIBRAW_IFD_MAXCOUNT; i++)
if (INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height) > tpixels)
{
tpixels = INT64(tiff_ifd[i].t_height) * INT64(tiff_ifd[i].t_height);
diff --git a/src/metadata/exif_gps.cpp b/src/metadata/exif_gps.cpp
index 6fbe1f32..98327969 100644
--- a/src/metadata/exif_gps.cpp
+++ b/src/metadata/exif_gps.cpp
@@ -164,7 +164,9 @@ void LibRaw::parse_exif(int base)
imgdata.lens.EXIF_MaxAp = libraw_powf64l(2.0f, (getreal(type) / 2.0f));
break;
case 0x829a: // 33434
- tiff_ifd[tiff_nifds - 1].t_shutter = shutter = getreal(type);
+ shutter = getreal(type);
+ if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT)
+ tiff_ifd[tiff_nifds - 1].t_shutter = shutter;
break;
case 0x829d: // 33437, FNumber
aperture = getreal(type);
@@ -186,9 +188,12 @@ void LibRaw::parse_exif(int base)
get_timestamp(0);
break;
case 0x9201: // 37377
- if ((expo = -getreal(type)) < 128 && shutter == 0.)
- tiff_ifd[tiff_nifds - 1].t_shutter = shutter =
- libraw_powf64l(2.0, expo);
+ if ((expo = -getreal(type)) < 128 && shutter == 0.)
+ {
+ shutter = libraw_powf64l(2.0, expo);
+ if (tiff_nifds > 0 && tiff_nifds <= LIBRAW_IFD_MAXCOUNT)
+ tiff_ifd[tiff_nifds - 1].t_shutter = shutter;
+ }
break;
case 0x9202: // 37378 ApertureValue
if ((fabs(ape = getreal(type)) < 256.0) && (!aperture))