[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: kdegraphics/kfile-plugins/jpeg
From: David Faure <faure () kde ! org>
Date: 2005-01-08 2:39:38
Message-ID: 20050108023938.E0AFB1BA75 () office ! kde ! org
[Download RAW message or body]
CVS commit by faure:
Applied patch by Steve Grubb:
kfile-plugins/jpeg/exif.cpp
process_EXIF is called without verifying that itemlen >= 8. If you look at the
called function, it accesses the 8th element in the data array. The same goes for
the process_SOFn function. For both of these, I placed a FIXME tag since I don't
know how you really want to handle it. The code does check for itemlen > 2, but
that's not sufficient for these 2 cases.
kfile-plugins/jpeg/kfile_setcomment.cpp has a couple of memory leaks.
M +6 -2 exif.cpp 1.12
M +7 -0 kfile_setcomment.cpp 1.4
--- kdegraphics/kfile-plugins/jpeg/exif.cpp #1.11:1.12
@@ -326,5 +326,7 @@ int ExifData::ReadJpegSections (QFile &
// it says 'Exif' in the section before treating it as exif.
if ((ReadMode & READ_EXIF) && memcmp(Data+2, "Exif", 4) == 0){
- process_EXIF((uchar *)Data, itemlen);
+ process_EXIF((uchar *)Data, itemlen); // FIXME: This call
+ // requires Data to be array of at least 8 bytes. Code
+ // above only checks for itemlen < 2.
}else{
// Discard this section.
@@ -346,5 +348,7 @@ int ExifData::ReadJpegSections (QFile &
case M_SOF14:
case M_SOF15:
- process_SOFn(Data, marker);
+ process_SOFn(Data, marker); //FIXME: This call requires Data to
+ // be array of at least 8 bytes. Code above only checks for
+ // itemlen < 2.
default:
break;
--- kdegraphics/kfile-plugins/jpeg/kfile_setcomment.cpp #1.3:1.4
@@ -414,4 +414,5 @@ struct stat statbuf;
if( !outfile ) {
fprintf(stderr, "failed opening temporary file %s\n", temp_filename);
+ free(temp_filename);
return(ERROR_TEMP_FILE);
}
@@ -423,4 +424,5 @@ struct stat statbuf;
if ((infile = fopen(original_filename, READ_BINARY)) == NULL) {
fprintf(stderr, "can't open input file %s\n", original_filename);
+ free(temp_filename);
return(ERROR_NOT_A_JPEG);
}
@@ -455,4 +457,5 @@ struct stat statbuf;
if ( fclose( outfile ) ) {
fprintf(stderr, "error in temporary file %s\n", temp_filename);
+ free(temp_filename);
return(ERROR_TEMP_FILE);
}
@@ -464,4 +467,5 @@ struct stat statbuf;
if( validate_image_file( temp_filename ) ) {
fprintf(stderr, "error in temporary file %s\n", temp_filename);
+ free(temp_filename);
return(ERROR_TEMP_FILE);
}
@@ -469,4 +473,5 @@ struct stat statbuf;
if( global_error >= ERROR_NOT_A_JPEG ) {
fprintf(stderr, "error %d processing %s\n", global_error, original_filename);
+ free(temp_filename);
return(ERROR_NOT_A_JPEG);
}
@@ -474,6 +479,8 @@ struct stat statbuf;
if( rename( temp_filename, original_filename ) ) {
fprintf(stderr, "error renaming %s to %s\n", temp_filename, original_filename);
+ free(temp_filename);
return(ERROR_TEMP_FILE);
}
+ free(temp_filename);
return(0);
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic