~ubuntu-branches/ubuntu/hardy/libexif/hardy

Viewing changes to libexif/olympus/exif-mnote-data-olympus.c

Committer: Bazaar Package Importer
Author(s): Nico Golde
Date: 2007-12-21 17:13:58 UTC
mfrom: (5.1.5 hardy)
Revision ID: james.westby@ubuntu.com-20071221171358-zbjzk21kmnizelhk

Tags: 0.6.16-2.1

http://bugs.debian.org/457330

* Non-maintainer upload by security team.
* This update addresses the following security issues:
  - possible denial of service attack via crafted
    image file leading to an infinite recursion in the
    exif-loader.c (CVE-2007-6351; Closes: #457330).
  - integer overflow in exif-data.c triggered by a crafted
    image file could lead to arbitrary code execution
    (CVE-2007-6352; Closes: #457330).

files added:
ChangeLog.cvs

auto-m4

auto-m4/gettext.m4

auto-m4/iconv.m4

auto-m4/lib-ld.m4

auto-m4/lib-link.m4

auto-m4/lib-prefix.m4

auto-m4/nls.m4

auto-m4/po.m4

auto-m4/progtest.m4

debian/patches

debian/patches/00list

debian/patches/10_pkg_config_header_dir.dpatch

debian/patches/20_extra_colorspace_check.dpatch

debian/patches/30_olympus_makernote.dpatch

debian/patches/40_crash_looking_up_invalid_values.dpatch

debian/patches/50_relibtoolize.dpatch

debian/patches/CVE-2007-6351.dpatch

debian/patches/CVE-2007-6352.dpatch

libexif-uninstalled.pc.in

libexif.pc.in

po/cs.gmo

po/cs.po

po/ru.gmo

po/ru.po

po/sk.gmo

po/sk.po

po/vi.gmo

po/vi.po

test/test-integers.c

files removed:
config.log

libexif/libexif.pc.in

m4m/gettext.m4

m4m/iconv.m4

m4m/lib-ld.m4

m4m/lib-link.m4

m4m/lib-prefix.m4

m4m/nls.m4

m4m/po.m4

m4m/progtest.m4

files modified:
ChangeLog

INSTALL

Makefile.am

Makefile.in

NEWS

README

aclocal.m4

binary/Makefile.in

config.guess

config.sub

configure

configure.ac

debian/changelog

debian/compat

debian/control

debian/libexif12.docs

debian/rules

depcomp

doc/Doxyfile-internals.in

doc/Doxyfile.in

doc/Makefile.am

doc/Makefile.in

doc/libexif-api.html.tar.gz

install-sh

libexif.spec

libexif/Makefile.am

libexif/Makefile.in

libexif/canon/Makefile.in

libexif/canon/exif-mnote-data-canon.c

libexif/canon/exif-mnote-data-canon.h

libexif/canon/mnote-canon-entry.c

libexif/canon/mnote-canon-tag.c

libexif/canon/mnote-canon-tag.h

libexif/exif-content.c

libexif/exif-data.c

libexif/exif-data.h

libexif/exif-entry.c

libexif/exif-entry.h

libexif/exif-loader.c

libexif/exif-loader.h

libexif/exif-mem.c

libexif/exif-mem.h

libexif/exif-tag.c

libexif/exif-tag.h

libexif/exif-utils.c

libexif/exif-utils.h

libexif/i18n.h

libexif/olympus/Makefile.in

libexif/olympus/exif-mnote-data-olympus.c

libexif/olympus/exif-mnote-data-olympus.h

libexif/olympus/mnote-olympus-entry.c

libexif/olympus/mnote-olympus-tag.c

libexif/olympus/mnote-olympus-tag.h

libexif/pentax/Makefile.in

libexif/pentax/exif-mnote-data-pentax.c

libexif/pentax/exif-mnote-data-pentax.h

libexif/pentax/mnote-pentax-entry.c

libexif/pentax/mnote-pentax-tag.c

libexif/pentax/mnote-pentax-tag.h

ltmain.sh

m4m/Makefile.in

m4m/gp-documentation.m4

missing

po/Makevars

po/de.gmo

po/de.po

po/es.gmo

po/es.po

po/fr.gmo

po/fr.po

po/libexif-12.pot

po/pl.gmo

po/pl.po

test/Makefile.am

test/Makefile.in

test/nls/Makefile.am

test/nls/Makefile.in

test/nls/print-localedir.c

test/nls/test-nls.c

Show diffs side-by-side

added added

removed removed

libexif/olympus/exif-mnote-data-olympus.c

unsigned char **buf, unsigned int *buf_size)

{

ExifMnoteDataOlympus *n = (ExifMnoteDataOlympus *) ne;

unsigned int i, o, s, doff, base = 0, o2 = 6;

unsigned int i, o, s, doff, base = 0, o2 = 6 + 2;

int datao = 0;

if (!n || !buf || !buf_size) return;

* Allocate enough memory for all entries and the number of entries.

*buf_size = 6 + 2 + 2 + n->count * 12;

o2 += 2;

switch (n->version) {

100

case olympus:

case olympusV1:

101

100

*buf = exif_mem_alloc (ne->mem, *buf_size);

102

101

if (!*buf) return;

103

102

104

103

/* Write the header and the number of entries. */

105

104

strcpy ((char *)*buf, "OLYMP");

105

exif_set_short (*buf + 6, n->order, (ExifShort) 1);

106

datao = n->offset;

107

break;

108

case olympusV2:

109

*buf_size += 8-6 + 4;

110

*buf = exif_mem_alloc (ne->mem, *buf_size);

111

if (!*buf) return;

112

113

/* Write the header and the number of entries. */

114

strcpy ((char *)*buf, "OLYMPUS");

115

exif_set_short (*buf + 8, n->order, (ExifShort) (

116

(n->order == EXIF_BYTE_ORDER_INTEL) ?

117

('I' << 8) | 'I' :

118

('M' << 8) | 'M'));

119

exif_set_short (*buf + 10, n->order, (ExifShort) 3);

120

o2 += 4;

121

break;

108

122

case nikonV1:

109

123

base = MNOTE_NIKON1_TAG_BASE;

110

124

125

/* v1 has offsets based to main IFD, not makernote IFD */

126

datao += n->offset + 10;

111

127

/* subtract the size here, so the increment in the next case will not harm us */

112

*buf_size -= 8;

128

*buf_size -= 8 + 2;

113

129

/* Fall through */

114

130

case nikonV2:

115

*buf_size += 8;

131

*buf_size += 8 + 2;

132

*buf_size += 4; /* Next IFD pointer */

116

133

*buf = exif_mem_alloc (ne->mem, *buf_size);

117

134

if (!*buf) return;

118

135

120

137

strcpy ((char *)*buf, "Nikon");

121

138

(*buf)[6] = n->version;

122

139

123

*buf_size += 2;

124

140

if (n->version == nikonV2) {

125

141

exif_set_short (*buf + 10, n->order, (ExifShort) (

126

142

(n->order == EXIF_BYTE_ORDER_INTEL) ?

130

146

exif_set_long (*buf + 14, n->order, (ExifShort) 8);

131

147

o2 += 2 + 8;

132

148

}

133

datao = -10;

149

datao -= 10;

150

/* Reset next IFD pointer */

151

exif_set_long (*buf + o2 + 2 + n->count * 12, n->order, 0);

134

152

break;

135

153

136

154

default:

201

219

* lastly 0x2A.

202

220

203

221

if (buf_size - n->offset < 22) return;

204

if (!memcmp (buf + o2, "OLYMP", 5)) {

222

if (!memcmp (buf + o2, "OLYMP", 6)) {

205

223

exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",

206

"Parsing Olympus maker note...");

224

"Parsing Olympus maker note v1...");

207

225

208

226

/* The number of entries is at position 8. */

209

n->version = olympus;

210

o2 += 8;

227

n->version = olympusV1;

228

if (buf[o2 + 6] == 1)

229

n->order = EXIF_BYTE_ORDER_INTEL;

230

else if (buf[o2 + 6 + 1] == 1)

231

n->order = EXIF_BYTE_ORDER_MOTOROLA;

232

o2 += 8;

233

234

} else if (!memcmp (buf + o2, "OLYMPUS", 8)) {

235

/* Olympus S760, S770 */

236

datao = o2;

237

o2 += 8;

238

exif_log (en->log, EXIF_LOG_CODE_DEBUG, "ExifMnoteDataOlympus",

239

"Parsing Olympus maker note v2 (0x%02x, %02x, %02x, %02x)...",

240

buf[o2], buf[o2 + 1], buf[o2 + 2], buf[o2 + 3]);

241

242

if ((buf[o2] == 'I') && (buf[o2 + 1] == 'I'))

243

n->order = EXIF_BYTE_ORDER_INTEL;

244

else if ((buf[o2] == 'M') && (buf[o2 + 1] == 'M'))

245

n->order = EXIF_BYTE_ORDER_MOTOROLA;

246

247

/* The number of entries is at position 8+4. */

248

n->version = olympusV2;

249

o2 += 4;

211

250

212

251

} else if (!memcmp (buf + o2, "Nikon", 6)) {

213

252

o2 += 6;

362

401

363

402

if (!n) return NULL;

364

403

if (i >= n->count) return NULL;

365

return mnote_olympus_tag_get_title (n->entries[i].tag);

404

return mnote_olympus_tag_get_description (n->entries[i].tag);

366

405

}

367

406

368

407

static void

Older »