diff options
author | Cosmin Truta <ctruta@gmail.com> | 2022-09-14 22:00:42 +0300 |
---|---|---|
committer | Cosmin Truta <ctruta@gmail.com> | 2022-09-14 22:00:42 +0300 |
commit | 2733482d8eb0cd3ee366148a7d5f2f5d8810d552 (patch) | |
tree | fcf681f6f9f63c0894bcbc5e1b357c824af82ea4 | |
parent | 3d57708c9166419b7f5e0bbda2f7a2149112c844 (diff) | |
download | libpng-2733482d8eb0cd3ee366148a7d5f2f5d8810d552.tar.gz |
Fix a last-minute bug in the checking of the EXIF byte-order header
The check should fail if the EXIF byte-order header doesn't start with
a correct character, or if the two heading characters aren't identical.
Rewrite the check to make the code logic easier to follow.
-rw-r--r-- | pngrutil.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/pngrutil.c b/pngrutil.c index 3c7e0e62d..ca060dd15 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2075,14 +2075,17 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_byte buf[1]; png_crc_read(png_ptr, buf, 1); info_ptr->eXIf_buf[i] = buf[0]; - if (i == 1 && buf[0] != 'M' && buf[0] != 'I' - && info_ptr->eXIf_buf[0] != buf[0]) + if (i == 1) { - png_crc_finish(png_ptr, length-i-1); - png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); - png_free(png_ptr, info_ptr->eXIf_buf); - info_ptr->eXIf_buf = NULL; - return; + if ((buf[0] != 'M' && buf[0] != 'I') || + (info_ptr->eXIf_buf[0] != buf[0])) + { + png_crc_finish(png_ptr, length - 2); + png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); + png_free(png_ptr, info_ptr->eXIf_buf); + info_ptr->eXIf_buf = NULL; + return; + } } } |