diff options
author | Sv. Lockal <lockalsash@gmail.com> | 2013-05-05 01:12:23 +0400 |
---|---|---|
committer | Sv. Lockal <lockalsash@gmail.com> | 2013-05-05 01:12:23 +0400 |
commit | f9c28cdc7a531247825ae93f3a7bb022f1e76686 (patch) | |
tree | 18a8c78bbd886f761be9a5dad9c32aa13885c027 /source/blender/imbuf | |
parent | fd0ad3c8df4c426f341703931e5db30a658ee2d8 (diff) |
Fix for non-terminated reading of JPEG metadata
This commit prevents Blender reading memory next to non-null-terminated JPEG metadata strings
Diffstat (limited to 'source/blender/imbuf')
-rw-r--r-- | source/blender/imbuf/intern/jpeg.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/source/blender/imbuf/intern/jpeg.c b/source/blender/imbuf/intern/jpeg.c index bf0e4187aa6..1ace364482f 100644 --- a/source/blender/imbuf/intern/jpeg.c +++ b/source/blender/imbuf/intern/jpeg.c @@ -371,6 +371,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla goto next_stamp_marker; /* + * JPEG marker strings are not null-terminated, + * create a null-terminated copy before going further + */ + str = BLI_strdupn((char *)marker->data, marker->data_length); + + /* * Because JPEG format don't support the * pair "key/value" like PNG, we store the * stampinfo in a single "encode" string: @@ -379,7 +385,7 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla * That is why we need split it to the * common key/value here. */ - if (strncmp((char *) marker->data, "Blender", 7)) { + if (strncmp(str, "Blender", 7)) { /* * Maybe the file have text that * we don't know "what it's", in that @@ -389,12 +395,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla * the information when we write * it back to disk. */ - IMB_metadata_add_field(ibuf, "None", (char *) marker->data); + IMB_metadata_add_field(ibuf, "None", str); ibuf->flags |= IB_metadata; + MEM_freeN(str); goto next_stamp_marker; } - str = BLI_strdup((char *) marker->data); key = strchr(str, ':'); /* * A little paranoid, but the file maybe |