Seems the link I provided is already dead... You can find the original code here: http://sylvana.net/jpegcrop/jpegexiforient.c
length is initialised from reading 2 bytes. regards, david On Fri, May 30, 2014 at 6:00 AM, BALATON Zoltan <[email protected]> wrote: > On Thu, 29 May 2014, David Maciejak wrote: >> >> +/* >> + Based on jpegexiforient.c >> + Full src available at >> http://ftp.freebsd.org/pub/FreeBSD/distfiles/jpeg8b/jpegexiforient.c >> + >> + Tested with img samples from >> http://github.com/recurser/exif-orientation-examples >> +*/ >> +int RGetImageOrientation(const char *file) >> +{ >> + int c1, c2; >> + int set_flag = ROrientationUnknown; >> + unsigned int length, i; >> + /* Flag for byte order */ >> + int is_motorola; >> + unsigned int exif_offset, offset, number_of_tags, tagnum; >> + FILE *myfile; >> + unsigned char exif_data[65536L]; > > > [...] > > >> + /* Get the marker parameter length count */ >> + c1 = getc(myfile); >> + if (c1 == EOF) >> + exif_offset = 0; >> + c2 = getc(myfile); >> + if (c2 == EOF) >> + exif_offset = 0; >> + length = (((unsigned int) c1) << 8) + ((unsigned int) c2); >> + >> + /* Length includes itself, so must be at least 2 */ >> + /* Following Exif data length must be at least 6 */ >> + if (length < 8) >> + exif_offset = 0; >> + >> + exif_offset += 2; >> + >> + /* No marker tag. */ >> + if (exif_data[0] != 0xFF) >> + exif_offset = 0; >> + >> + /* Exif if APP1 is found. */ >> + if (exif_data[1] == 0xE1) >> + break; >> + >> + exif_offset += length; >> + >> + /* Some other marker found, seek to next one. */ >> + if (-1 == fseek(myfile, length - 2, SEEK_CUR)) >> + /* Can't seek. */ >> + exif_offset = 0; >> + } >> + >> + /* check if something went wrong */ >> + if (!exif_offset) >> + goto clean_return; >> + >> + length -= 8; >> + /* Read Exif head, check for "Exif" */ >> + for (i = 0; i < 6; i++) { >> + int c; >> + c = getc(myfile); >> + if (c == EOF) >> + goto clean_return; >> + exif_data[i] = (unsigned char) c; >> + } >> + >> + if (exif_data[0] != 0x45 || exif_data[1] != 0x78 || exif_data[2] != 0x69 >> || >> + exif_data[3] != 0x66 || exif_data[4] != 0 || exif_data[5] != 0) >> + goto clean_return; >> + >> + /* Read Exif body */ >> + for (i = 0; i < length; i++) { >> + int c; >> + c = getc(myfile); >> + if (c == EOF) >> + goto clean_return; >> + exif_data[i] = (unsigned char) c; >> + } > > > How do you make sure that there won't be an overflow of the exif_data[] > array? I see no checks that length is smaller than the size of this array > which is a fixed constant. > > Regards, > BALATON Zoltan -- To unsubscribe, send mail to [email protected].
