Opened 10 years ago

Closed 10 years ago

Last modified 6 years ago

#3078 closed defect (fixed)

Corrupt EXIF info can cause stack buffer overflow in JPEG driver

Reported by: Even Rouault Owned by: Even Rouault
Priority: normal Milestone: 1.6.2
Component: default Version: unspecified
Severity: normal Keywords:
Cc: warmerdam

Description

2 possible flaws :

  • EXIFPrintData() can write data after the end of the output buffer (allocated on stack in EXIFExtractMetadata) if tdir_count is too big
  • the tdir_type value is not checked for validity. Read can then occur outside of the datatype array. Using TIFFDataWidth() instead and checking for handled datatypes will fix that.

Change History (3)

comment:1 Changed 10 years ago by Even Rouault

Resolution: fixed
Status: newclosed

Fixed in trunk (r17443) and in branches/1.6 (r17444)

comment:2 Changed 10 years ago by Even Rouault

Additionnal check to prevent multiplication overflow added in trunk (r17449) and in branches/1.6 (r17450)

comment:3 Changed 6 years ago by Even Rouault

trunk r27254, branches/1.11 r27255 : "EXIF reader: add missing validation for some data types (#3078)"

Note: See TracTickets for help on using tickets.