'kdegraphics/kfile-plugins/jpeg'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    kdegraphics/kfile-plugins/jpeg
From:       David Faure <faure () kde ! org>
Date:       2005-01-08 2:39:38
Message-ID: 20050108023938.E0AFB1BA75 () office ! kde ! org
[Download RAW message or body]

CVS commit by faure: 

Applied patch by Steve Grubb:

kfile-plugins/jpeg/exif.cpp
process_EXIF is called without verifying that itemlen >= 8. If you look at the
called function, it accesses the 8th element in the data array. The same goes for
the process_SOFn function. For both of these, I placed a FIXME tag since I don't
know how you really want to handle it. The code does check for itemlen > 2, but
that's not sufficient for these 2 cases.

kfile-plugins/jpeg/kfile_setcomment.cpp has a couple of memory leaks.


  M +6 -2      exif.cpp   1.12
  M +7 -0      kfile_setcomment.cpp   1.4


--- kdegraphics/kfile-plugins/jpeg/exif.cpp  #1.11:1.12
@@ -326,5 +326,7 @@ int ExifData::ReadJpegSections (QFile & 
                 // it says 'Exif' in the section before treating it as exif.
                 if ((ReadMode & READ_EXIF) && memcmp(Data+2, "Exif", 4) == 0){
-                    process_EXIF((uchar *)Data, itemlen);
+                    process_EXIF((uchar *)Data, itemlen); // FIXME: This call
+                        // requires Data to be array of at least 8 bytes. Code
+                        // above only checks for itemlen < 2.
                 }else{
                     // Discard this section.
@@ -346,5 +348,7 @@ int ExifData::ReadJpegSections (QFile & 
             case M_SOF14:
             case M_SOF15:
-                process_SOFn(Data, marker);
+                process_SOFn(Data, marker); //FIXME: This call requires Data to
+                // be array of at least 8 bytes. Code above only checks for 
+                // itemlen < 2.
             default:
                 break;

--- kdegraphics/kfile-plugins/jpeg/kfile_setcomment.cpp  #1.3:1.4
@@ -414,4 +414,5 @@ struct stat  statbuf;
   if( !outfile ) {
     fprintf(stderr, "failed opening temporary file %s\n", temp_filename);
+    free(temp_filename);
     return(ERROR_TEMP_FILE);
     }
@@ -423,4 +424,5 @@ struct stat  statbuf;
   if ((infile = fopen(original_filename, READ_BINARY)) == NULL) {
     fprintf(stderr, "can't open input file %s\n", original_filename);
+    free(temp_filename);
     return(ERROR_NOT_A_JPEG);
     }
@@ -455,4 +457,5 @@ struct stat  statbuf;
   if ( fclose( outfile ) ) {
     fprintf(stderr, "error in temporary file %s\n", temp_filename);
+    free(temp_filename);
     return(ERROR_TEMP_FILE);
     }
@@ -464,4 +467,5 @@ struct stat  statbuf;
   if( validate_image_file( temp_filename ) ) {
     fprintf(stderr, "error in temporary file %s\n", temp_filename);
+    free(temp_filename);
     return(ERROR_TEMP_FILE);
     }
@@ -469,4 +473,5 @@ struct stat  statbuf;
   if( global_error >= ERROR_NOT_A_JPEG ) {
     fprintf(stderr, "error %d processing %s\n", global_error, original_filename);
+    free(temp_filename);
     return(ERROR_NOT_A_JPEG);
     }
@@ -474,6 +479,8 @@ struct stat  statbuf;
   if( rename( temp_filename, original_filename ) ) {
     fprintf(stderr, "error renaming %s to %s\n", temp_filename, original_filename);
+    free(temp_filename);
     return(ERROR_TEMP_FILE);
     }
+  free(temp_filename);
 
   return(0);


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic