[webkit-changes] [132961] trunk/Source/WebCore

[thakis]

Title: [132961] trunk/Source/WebCore

Revision

132961

Author

tha...@chromium.org

Date

2012-10-30 16:43:48 -0700 (Tue, 30 Oct 2012)

Log Message

Fix potential overflow in jpeg exif reader. Found by ae...@google.com.
https://bugs.webkit.org/show_bug.cgi?id=100320

Reviewed by Eric Seidel.

Adding more than 1 element past an array is undefined, so don't do it.

No test, since in practice ifd will just overflow and `end - ifd` will
become much larget than 2 and the `if (end - ifd < 2)` a few lines
down will catch that case.

* platform/image-decoders/jpeg/JPEGImageDecoder.cpp:
(WebCore::readImageOrientation):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (132960 => 132961)

--- trunk/Source/WebCore/ChangeLog	2012-10-30 23:33:42 UTC (rev 132960)
+++ trunk/Source/WebCore/ChangeLog	2012-10-30 23:43:48 UTC (rev 132961)
@@ -1,3 +1,19 @@
+2012-10-30  Nico Weber  <tha...@chromium.org>
+
+        Fix potential overflow in jpeg exif reader. Found by ae...@google.com.
+        https://bugs.webkit.org/show_bug.cgi?id=100320
+
+        Reviewed by Eric Seidel.
+
+        Adding more than 1 element past an array is undefined, so don't do it.
+
+        No test, since in practice ifd will just overflow and `end - ifd` will
+        become much larget than 2 and the `if (end - ifd < 2)` a few lines
+        down will catch that case.
+
+        * platform/image-decoders/jpeg/JPEGImageDecoder.cpp:
+        (WebCore::readImageOrientation):
+
 2012-10-26  Alexandru Chiculita  <ach...@adobe.com>
 
         [CSS Shaders] Add the ValidatedCustomFilterOperation class

Modified: trunk/Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp (132960 => 132961)

--- trunk/Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp	2012-10-30 23:33:42 UTC (rev 132960)
+++ trunk/Source/WebCore/platform/image-decoders/jpeg/JPEGImageDecoder.cpp	2012-10-30 23:43:48 UTC (rev 132961)
@@ -187,7 +187,10 @@
         unsigned ifdOffset;
         if (!checkExifHeader(marker, isBigEndian, ifdOffset))
             continue;
-        ifdOffset += 6; // Account for 'Exif\0<fill byte>' header.
+        const unsigned offsetToTiffData = 6; // Account for 'Exif\0<fill byte>' header.
+        if (marker->data_length < offsetToTiffData || ifdOffset >= marker->data_length - offsetToTiffData)
+            continue;
+        ifdOffset += offsetToTiffData;
 
         // The jpeg exif container format contains a tiff block for metadata.
         // A tiff image file directory (ifd) consists of a uint16_t describing

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes