2.4.x: Bug 105205 - fix a buffer overflow in the TIFF parser

author: Hubert Figuière <hub@figuiere.net> 2018-02-25 14:01:52 -0500
committer: Hubert Figuière <hub@figuiere.net> 2018-03-07 23:21:58 -0500
commit: d0b22edd422700942500f9949f30258b1abd6fde (patch)
tree: 7c9fa5fbd8a016c873a660c54ba4d334d84a7fbb
parent: 189dc15d126138036510794cd663587dbef855b1 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/XMPFiles/source/FileHandlers/TIFF_Handler.cpp b/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
index 1a49ab2..267793c 100644
--- a/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
+++ b/XMPFiles/source/FileHandlers/TIFF_Handler.cpp
@@ -235,8 +235,9 @@ void TIFF_MetaHandler::ProcessXMP()
 			// zero padding for the IPTC digest. If the full digest differs, recheck without the padding.
 
 			iptcDigestState = PhotoDataUtils::CheckIPTCDigest ( iptcInfo.dataPtr, iptcInfo.dataLen, digestInfo.dataPtr );
-
-			if ( (iptcDigestState == kDigestDiffers) && (kTIFF_TypeSizes[iptcInfo.type] > 1) ) {
+			// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105205
+			// if iptcInfo.dataLen is 0, then there is no digest.
+			if ( (iptcDigestState == kDigestDiffers) && (kTIFF_TypeSizes[iptcInfo.type] > 1) && iptcInfo.dataLen > 0 ) {
 				XMP_Uns8 * endPtr = (XMP_Uns8*)iptcInfo.dataPtr + iptcInfo.dataLen - 1;
 				XMP_Uns8 * minPtr = endPtr - kTIFF_TypeSizes[iptcInfo.type] + 1;
 				while ( (endPtr >= minPtr) && (*endPtr == 0) ) --endPtr;
author	Hubert Figuière <hub@figuiere.net>	2018-02-25 14:01:52 -0500
committer	Hubert Figuière <hub@figuiere.net>	2018-03-07 23:21:58 -0500
commit	d0b22edd422700942500f9949f30258b1abd6fde (patch)
tree	7c9fa5fbd8a016c873a660c54ba4d334d84a7fbb
parent	189dc15d126138036510794cd663587dbef855b1 (diff)