#3078 closed defect (fixed)
Corrupt EXIF info can cause stack buffer overflow in JPEG driver
Reported by: | Even Rouault | Owned by: | Even Rouault |
---|---|---|---|
Priority: | normal | Milestone: | 1.6.2 |
Component: | default | Version: | unspecified |
Severity: | normal | Keywords: | |
Cc: | warmerdam |
Description
2 possible flaws :
- EXIFPrintData() can write data after the end of the output buffer (allocated on stack in EXIFExtractMetadata) if tdir_count is too big
- the tdir_type value is not checked for validity. Read can then occur outside of the datatype array. Using TIFFDataWidth() instead and checking for handled datatypes will fix that.
Change History (3)
comment:1 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:2 by , 15 years ago
comment:3 by , 10 years ago
Note:
See TracTickets
for help on using tickets.
Fixed in trunk (r17443) and in branches/1.6 (r17444)