|
 |
1a1466 |
diff --git a/include/exiv2/value.hpp b/include/exiv2/value.hpp
|
|
|
1a1466 |
index 64a8ca7..4e9f285 100644
|
|
|
1a1466 |
--- a/include/exiv2/value.hpp
|
|
|
1a1466 |
+++ b/include/exiv2/value.hpp
|
|
|
1a1466 |
@@ -1658,11 +1658,13 @@ namespace Exiv2 {
|
|
|
1a1466 |
ok_ = true;
|
|
|
1a1466 |
return static_cast<long>(value_[n]);
|
|
|
1a1466 |
}
|
|
|
1a1466 |
+// #55 crash when value_[n].first == LONG_MIN
|
|
|
1a1466 |
+#define LARGE_INT 1000000
|
|
|
1a1466 |
// Specialization for rational
|
|
|
1a1466 |
template<>
|
|
|
1a1466 |
inline long ValueType<Rational>::toLong(long n) const
|
|
|
1a1466 |
{
|
|
|
1a1466 |
- ok_ = (value_[n].second != 0);
|
|
|
1a1466 |
+ ok_ = (value_[n].second != 0 && -LARGE_INT < value_[n].first && value_[n].first < LARGE_INT);
|
|
|
1a1466 |
if (!ok_) return 0;
|
|
|
1a1466 |
return value_[n].first / value_[n].second;
|
|
|
1a1466 |
}
|
|
|
1a1466 |
@@ -1670,7 +1672,7 @@ namespace Exiv2 {
|
|
|
1a1466 |
template<>
|
|
|
1a1466 |
inline long ValueType<URational>::toLong(long n) const
|
|
|
1a1466 |
{
|
|
|
1a1466 |
- ok_ = (value_[n].second != 0);
|
|
|
1a1466 |
+ ok_ = (value_[n].second != 0 && value_[n].first < LARGE_INT);
|
|
|
1a1466 |
if (!ok_) return 0;
|
|
|
1a1466 |
return value_[n].first / value_[n].second;
|
|
|
1a1466 |
}
|
|
|
1a1466 |
diff --git a/src/basicio.cpp b/src/basicio.cpp
|
|
|
1a1466 |
index 1ede931..eac756f 100644
|
|
|
1a1466 |
--- a/src/basicio.cpp
|
|
|
1a1466 |
+++ b/src/basicio.cpp
|
|
|
1a1466 |
@@ -990,6 +990,7 @@ namespace Exiv2 {
|
|
|
1a1466 |
DataBuf FileIo::read(long rcount)
|
|
|
1a1466 |
{
|
|
|
1a1466 |
assert(p_->fp_ != 0);
|
|
|
1a1466 |
+ if ( (size_t) rcount > size() ) throw Error(57);
|
|
|
1a1466 |
DataBuf buf(rcount);
|
|
|
1a1466 |
long readCount = read(buf.pData_, buf.size_);
|
|
|
1a1466 |
buf.size_ = readCount;
|
|
|
1a1466 |
diff --git a/src/image.cpp b/src/image.cpp
|
|
|
1a1466 |
index 31b9b81..eeb1f37 100644
|
|
|
1a1466 |
--- a/src/image.cpp
|
|
|
1a1466 |
+++ b/src/image.cpp
|
|
|
1a1466 |
@@ -399,7 +399,13 @@ namespace Exiv2 {
|
|
|
1a1466 |
;
|
|
|
1a1466 |
|
|
|
1a1466 |
// if ( offset > io.size() ) offset = 0; // Denial of service?
|
|
|
1a1466 |
- DataBuf buf(size*count + pad+20); // allocate a buffer
|
|
|
1a1466 |
+
|
|
|
1a1466 |
+ // #55 memory allocation crash test/data/POC8
|
|
|
1a1466 |
+ long long allocate = (long long) size*count + pad+20;
|
|
|
1a1466 |
+ if ( allocate > (long long) io.size() ) {
|
|
|
1a1466 |
+ throw Error(57);
|
|
|
1a1466 |
+ }
|
|
|
1a1466 |
+ DataBuf buf(allocate); // allocate a buffer
|
|
|
1a1466 |
std::memcpy(buf.pData_,dir.pData_+8,4); // copy dir[8:11] into buffer (short strings)
|
|
|
1a1466 |
if ( count*size > 4 ) { // read into buffer
|
|
|
1a1466 |
size_t restore = io.tell(); // save
|