From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Sun, 2 Sep 2018 14:39:52 +0200
Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile
- Now it takes into account text.size_ when searching for a newline
char.
---
src/pngchunk.cpp | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 58281b3ff..755872c94 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -629,11 +629,19 @@ namespace Exiv2 {
sp = (char*)text.pData_+1;
+ int pointerPos = 1;
// Look for newline
-
- while (*sp != '\n')
+ while (*sp != '\n' && pointerPos < (text.size_ - 1))
+ {
sp++;
+ pointerPos++;
+ }
+
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
// Look for length
From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com>
Date: Mon, 3 Sep 2018 08:51:08 +0200
Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile
---
src/pngchunk.cpp | 36 +++++++++++++-----------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 755872c94..9b3faf1aa 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -606,11 +606,6 @@ namespace Exiv2 {
DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
{
DataBuf info;
- register long i;
- register unsigned char *dp;
- const char *sp;
- unsigned int nibbles;
- long length;
unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@@ -627,8 +622,7 @@ namespace Exiv2 {
return info;
}
-
- sp = (char*)text.pData_+1;
+ const char *sp = (char*)text.pData_+1;
int pointerPos = 1;
// Look for newline
@@ -638,20 +632,30 @@ namespace Exiv2 {
pointerPos++;
}
+ // Look for length
+ while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+ {
+ sp++;
+ pointerPos++;
+ }
+
if (pointerPos == (text.size_ - 1))
{
return DataBuf();
}
- // Look for length
+ long length = (long) atol(sp);
- while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+ while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+ {
sp++;
+ pointerPos++;
+ }
- length = (long) atol(sp);
-
- while (*sp != ' ' && *sp != '\n')
- sp++;
+ if (pointerPos == (text.size_ - 1))
+ {
+ return DataBuf();
+ }
// Allocate space
@@ -674,10 +678,10 @@ namespace Exiv2 {
// Copy profile, skipping white space and column 1 "=" signs
- dp = (unsigned char*)info.pData_;
- nibbles = length * 2;
+ unsigned char *dp = (unsigned char*)info.pData_;
+ unsigned int nibbles = length * 2;
- for (i = 0; i < (long) nibbles; i++)
+ for (long i = 0; i < (long) nibbles; i++)
{
while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
{
From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001
From: Robin Mills <robin@clanmills.com>
Date: Mon, 10 Sep 2018 20:54:53 +0200
Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile
---
src/pngchunk.cpp | 55 ++++++++++++++++++++++----------------------
1 file changed, 27 insertions(+), 28 deletions(-)
diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp
index 9b3faf1aa..f81b560aa 100644
--- a/src/pngchunk.cpp
+++ b/src/pngchunk.cpp
@@ -607,11 +607,11 @@ namespace Exiv2 {
{
DataBuf info;
unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
- 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
- 13,14,15};
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
+ 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12,
+ 13,14,15};
if (text.size_ == 0) {
return DataBuf();
}
@@ -622,52 +622,51 @@ namespace Exiv2 {
return info;
}
- const char *sp = (char*)text.pData_+1;
- int pointerPos = 1;
+ const char *sp = (char*) text.pData_+1; // current byte (space pointer)
+ const char *eot = (char*) text.pData_+text.size_; // end of text
// Look for newline
- while (*sp != '\n' && pointerPos < (text.size_ - 1))
+ while (*sp != '\n' && sp < eot )
{
sp++;
- pointerPos++;
+ if ( sp == eot )
+ {
+ return DataBuf();
+ }
}
+ sp++ ; // step over '\n'
// Look for length
- while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+ while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot )
{
sp++;
- pointerPos++;
- }
-
- if (pointerPos == (text.size_ - 1))
- {
- return DataBuf();
+ if (sp == eot )
+ {
+ return DataBuf();
+ }
}
- long length = (long) atol(sp);
-
- while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+ const char* startOfLength = sp;
+ while ( ('0' <= *sp && *sp <= '9') && sp < eot)
{
sp++;
- pointerPos++;
+ if (sp == eot )
+ {
+ return DataBuf();
+ }
}
+ sp++ ; // step over '\n'
- if (pointerPos == (text.size_ - 1))
- {
- return DataBuf();
- }
+ long length = (long) atol(startOfLength);
// Allocate space
-
if (length == 0)
{
#ifdef DEBUG
std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n";
#endif
}
-
info.alloc(length);
-
if (info.size_ != length)
{
#ifdef DEBUG
@@ -678,7 +677,7 @@ namespace Exiv2 {
// Copy profile, skipping white space and column 1 "=" signs
- unsigned char *dp = (unsigned char*)info.pData_;
+ unsigned char *dp = (unsigned char*)info.pData_; // decode pointer
unsigned int nibbles = length * 2;
for (long i = 0; i < (long) nibbles; i++)
