Fix for non-terminated reading of JPEG metadata

This commit prevents Blender reading memory next to non-null-terminated JPEG metadata strings

1 files changed, 9 insertions, 3 deletions

diff --git a/source/blender/imbuf/intern/jpeg.c b/source/blender/imbuf/intern/jpeg.c
index bf0e4187aa6..1ace364482f 100644
--- a/source/blender/imbuf/intern/jpeg.c
+++ b/source/blender/imbuf/intern/jpeg.c
@@ -371,6 +371,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla
 					goto next_stamp_marker;
 
 				/*
+				 * JPEG marker strings are not null-terminated,
+				 * create a null-terminated copy before going further
+				 */
+				str = BLI_strdupn((char *)marker->data, marker->data_length);
+
+				/*
 				 * Because JPEG format don't support the
 				 * pair "key/value" like PNG, we store the
 				 * stampinfo in a single "encode" string:
@@ -379,7 +385,7 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla
 				 * That is why we need split it to the
 				 * common key/value here.
 				 */
-				if (strncmp((char *) marker->data, "Blender", 7)) {
+				if (strncmp(str, "Blender", 7)) {
 					/*
 					 * Maybe the file have text that
 					 * we don't know "what it's", in that
@@ -389,12 +395,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla
 					 * the information when we write
 					 * it back to disk.
 					 */
-					IMB_metadata_add_field(ibuf, "None", (char *) marker->data);
+					IMB_metadata_add_field(ibuf, "None", str);
 					ibuf->flags |= IB_metadata;
+					MEM_freeN(str);
 					goto next_stamp_marker;
 				}
 
-				str = BLI_strdup((char *) marker->data);
 				key = strchr(str, ':');
 				/*
 				 * A little paranoid, but the file maybe