Cleanup buffer length calculation.
This commit is contained in:
parent
37001e4cba
commit
6c08800089
|
@ -85,12 +85,10 @@ fn get_exif_attr_sub<R>(reader: &mut R)
|
|||
_ => {},
|
||||
}
|
||||
// Read marker segments.
|
||||
let seglen = read16(reader)?;
|
||||
if seglen < 2 {
|
||||
return Err(Error::InvalidFormat("Invalid segment length"));
|
||||
}
|
||||
let len = read16(reader)?.checked_sub(2)
|
||||
.ok_or(Error::InvalidFormat("Invalid segment length"))?;
|
||||
let mut seg = Vec::new();
|
||||
reader.by_ref().take(seglen as u64 - 2).read_to_end(&mut seg)?;
|
||||
reader.by_ref().take(len.into()).read_to_end(&mut seg)?;
|
||||
if code == marker::APP1 && seg.starts_with(&EXIF_ID) {
|
||||
seg.drain(..EXIF_ID.len());
|
||||
return Ok(seg);
|
||||
|
|
|
@ -77,7 +77,8 @@ fn get_exif_attr_sub<R>(reader: &mut R)
|
|||
return Ok(data);
|
||||
}
|
||||
// Chunk data and CRC.
|
||||
reader.discard_exact(len + 4)?;
|
||||
reader.discard_exact(len.checked_add(4).ok_or(
|
||||
Error::InvalidFormat("Invalid chunk length"))?)?;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
13
src/webp.rs
13
src/webp.rs
|
@ -131,6 +131,19 @@ mod tests {
|
|||
assert_err_pat!(get_exif_attr(&mut &data[..]), Error::NotFound(_));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn overflowing_parent() {
|
||||
let mut data = b"RIFF\x10\0\0\0WEBPEXIF\x04\0\0\0Exif".to_vec();
|
||||
assert_eq!(get_exif_attr(&mut &data[..]).unwrap(), b"Exif");
|
||||
for x in 0x05..=0x0f {
|
||||
data[4] = x;
|
||||
assert_err_pat!(get_exif_attr(&mut &data[..]),
|
||||
Error::InvalidFormat(_));
|
||||
}
|
||||
data[4] = 0x04;
|
||||
assert_err_pat!(get_exif_attr(&mut &data[..]), Error::NotFound(_));
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn odd_at_last_without_padding() {
|
||||
let data = b"RIFF\x17\0\0\0WEBPwhat\0\0\0\0EXIF\x03\0\0\0abc";
|
||||
|
|
Loading…
Reference in New Issue