fix handling of empty exif jpeg data
am: 95ebb389aa
Change-Id: Ibc99ba1b94f0f7217becce6eedcf11ca630c0ba3
diff --git a/libexif/exif-loader.c b/libexif/exif-loader.c
index 317b86b..7aebf1e 100644
--- a/libexif/exif-loader.c
+++ b/libexif/exif-loader.c
@@ -225,7 +225,7 @@
break;
}
- for (i = 0; i < sizeof (eld->b); i++)
+ for (i = 0; i < sizeof (eld->b); i++) {
switch (eld->state) {
case EL_EXIF_FOUND:
if (!exif_loader_copy (eld, eld->b + i,
@@ -233,9 +233,19 @@
return 0;
return exif_loader_copy (eld, buf, len);
case EL_SKIP_BYTES:
- eld->size--;
- if (!eld->size)
- eld->state = EL_READ;
+ switch (eld->size) {
+ case 0:
+ eld->state = EL_READ;
+ i--; // reprocess this byte
+ break;
+ case 1:
+ eld->size = 0;
+ eld->state = EL_READ;
+ break;
+ default:
+ eld->size--;
+ break;
+ }
break;
case EL_READ_SIZE_BYTE_24:
@@ -255,12 +265,20 @@
switch (eld->data_format) {
case EL_DATA_FORMAT_JPEG:
eld->state = EL_SKIP_BYTES;
- eld->size -= 2;
+ if (eld->size < 2) {
+ // Actually it's malformed...
+ eld->size = 0;
+ } else
+ eld->size -= 2;
break;
case EL_DATA_FORMAT_FUJI_RAW:
eld->data_format = EL_DATA_FORMAT_EXIF;
eld->state = EL_SKIP_BYTES;
- eld->size -= 86;
+ if (eld->size < 86) {
+ // Actually it's malformed...
+ eld->size = 0;
+ } else
+ eld->size -= 86; // and put this in an else
break;
case EL_DATA_FORMAT_EXIF:
eld->state = EL_EXIF_FOUND;
@@ -304,6 +322,7 @@
return 0;
}
}
+ }
/*
* If we reach this point, the buffer has not been big enough
