From f9c28cdc7a531247825ae93f3a7bb022f1e76686 Mon Sep 17 00:00:00 2001 From: "Sv. Lockal" Date: Sat, 4 May 2013 21:12:23 +0000 Subject: Fix for non-terminated reading of JPEG metadata This commit prevents Blender reading memory next to non-null-terminated JPEG metadata strings --- source/blender/imbuf/intern/jpeg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source/blender/imbuf') diff --git a/source/blender/imbuf/intern/jpeg.c b/source/blender/imbuf/intern/jpeg.c index bf0e4187aa6..1ace364482f 100644 --- a/source/blender/imbuf/intern/jpeg.c +++ b/source/blender/imbuf/intern/jpeg.c @@ -370,6 +370,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla if (marker->marker != JPEG_COM) goto next_stamp_marker; + /* + * JPEG marker strings are not null-terminated, + * create a null-terminated copy before going further + */ + str = BLI_strdupn((char *)marker->data, marker->data_length); + /* * Because JPEG format don't support the * pair "key/value" like PNG, we store the @@ -379,7 +385,7 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla * That is why we need split it to the * common key/value here. */ - if (strncmp((char *) marker->data, "Blender", 7)) { + if (strncmp(str, "Blender", 7)) { /* * Maybe the file have text that * we don't know "what it's", in that @@ -389,12 +395,12 @@ static ImBuf *ibJpegImageFromCinfo(struct jpeg_decompress_struct *cinfo, int fla * the information when we write * it back to disk. */ - IMB_metadata_add_field(ibuf, "None", (char *) marker->data); + IMB_metadata_add_field(ibuf, "None", str); ibuf->flags |= IB_metadata; + MEM_freeN(str); goto next_stamp_marker; } - str = BLI_strdup((char *) marker->data); key = strchr(str, ':'); /* * A little paranoid, but the file maybe -- cgit v1.2.3