From 03173751b4d7053d6ddf52a15904e8f751f78f56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com> Date: Sun, 2 Sep 2018 14:39:52 +0200 Subject: [PATCH 2/5] Fix bug in PngChunk::readRawProfile - Now it takes into account text.size_ when searching for a newline char. --- src/pngchunk.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp index 58281b3ff..755872c94 100644 --- a/src/pngchunk.cpp +++ b/src/pngchunk.cpp @@ -629,11 +629,19 @@ namespace Exiv2 { sp = (char*)text.pData_+1; + int pointerPos = 1; // Look for newline - - while (*sp != '\n') + while (*sp != '\n' && pointerPos < (text.size_ - 1)) + { sp++; + pointerPos++; + } + + if (pointerPos == (text.size_ - 1)) + { + return DataBuf(); + } // Look for length From cf3ba049a2792ec2a4a877e343f5dd9654da53dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz=20M=C3=A1s?= <piponazo@gmail.com> Date: Mon, 3 Sep 2018 08:51:08 +0200 Subject: [PATCH 3/5] Fix more issues in PngChunk::readRawProfile --- src/pngchunk.cpp | 36 +++++++++++++----------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp index 755872c94..9b3faf1aa 100644 --- a/src/pngchunk.cpp +++ b/src/pngchunk.cpp @@ -606,11 +606,6 @@ namespace Exiv2 { DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt) { DataBuf info; - register long i; - register unsigned char *dp; - const char *sp; - unsigned int nibbles; - long length; unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, @@ -627,8 +622,7 @@ namespace Exiv2 { return info; } - - sp = (char*)text.pData_+1; + const char *sp = (char*)text.pData_+1; int pointerPos = 1; // Look for newline @@ -638,20 +632,30 @@ namespace Exiv2 { pointerPos++; } + // Look for length + while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) + { + sp++; + pointerPos++; + } + if (pointerPos == (text.size_ - 1)) { return DataBuf(); } - // Look for length + long length = (long) atol(sp); - while (*sp == '\0' || *sp == ' ' || *sp == '\n') + while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) + { sp++; + pointerPos++; + } - length = (long) atol(sp); - - while (*sp != ' ' && *sp != '\n') - sp++; + if (pointerPos == (text.size_ - 1)) + { + return DataBuf(); + } // Allocate space @@ -674,10 +678,10 @@ namespace Exiv2 { // Copy profile, skipping white space and column 1 "=" signs - dp = (unsigned char*)info.pData_; - nibbles = length * 2; + unsigned char *dp = (unsigned char*)info.pData_; + unsigned int nibbles = length * 2; - for (i = 0; i < (long) nibbles; i++) + for (long i = 0; i < (long) nibbles; i++) { while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f') { From 8b480bc5b2cc2abb8cf6fe4e16c24e58916464d2 Mon Sep 17 00:00:00 2001 From: Robin Mills <robin@clanmills.com> Date: Mon, 10 Sep 2018 20:54:53 +0200 Subject: [PATCH 4/5] Fixes in PngChunk::readRawProfile --- src/pngchunk.cpp | 55 ++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/src/pngchunk.cpp b/src/pngchunk.cpp index 9b3faf1aa..f81b560aa 100644 --- a/src/pngchunk.cpp +++ b/src/pngchunk.cpp @@ -607,11 +607,11 @@ namespace Exiv2 { { DataBuf info; unsigned char unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, - 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, - 13,14,15}; + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0, + 0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,10,11,12, + 13,14,15}; if (text.size_ == 0) { return DataBuf(); } @@ -622,52 +622,51 @@ namespace Exiv2 { return info; } - const char *sp = (char*)text.pData_+1; - int pointerPos = 1; + const char *sp = (char*) text.pData_+1; // current byte (space pointer) + const char *eot = (char*) text.pData_+text.size_; // end of text // Look for newline - while (*sp != '\n' && pointerPos < (text.size_ - 1)) + while (*sp != '\n' && sp < eot ) { sp++; - pointerPos++; + if ( sp == eot ) + { + return DataBuf(); + } } + sp++ ; // step over '\n' // Look for length - while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1)) + while ( (*sp == '\0' || *sp == ' ' || *sp == '\n') && sp < eot ) { sp++; - pointerPos++; - } - - if (pointerPos == (text.size_ - 1)) - { - return DataBuf(); + if (sp == eot ) + { + return DataBuf(); + } } - long length = (long) atol(sp); - - while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1)) + const char* startOfLength = sp; + while ( ('0' <= *sp && *sp <= '9') && sp < eot) { sp++; - pointerPos++; + if (sp == eot ) + { + return DataBuf(); + } } + sp++ ; // step over '\n' - if (pointerPos == (text.size_ - 1)) - { - return DataBuf(); - } + long length = (long) atol(startOfLength); // Allocate space - if (length == 0) { #ifdef DEBUG std::cerr << "Exiv2::PngChunk::readRawProfile: Unable To Copy Raw Profile: invalid profile length\n"; #endif } - info.alloc(length); - if (info.size_ != length) { #ifdef DEBUG @@ -678,7 +677,7 @@ namespace Exiv2 { // Copy profile, skipping white space and column 1 "=" signs - unsigned char *dp = (unsigned char*)info.pData_; + unsigned char *dp = (unsigned char*)info.pData_; // decode pointer unsigned int nibbles = length * 2; for (long i = 0; i < (long) nibbles; i++)