From c188578f3f807c967b54b73b793399f0e23f54b3 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
Date: Fri, 23 Jul 2021 20:17:50 +0200
Subject: [PATCH] Fix out of boundary access with exif (#617)

* Fix out of boundary access

The while-loop is not finished when pos is set to EXIF_MAX_DATA.
Instead, the loop continues and therefore tries to access data outside
of the array.

This is triggered when compiled with exif=1 and asan:

$ feh --draw-exif image.jpg

* Fixed formatting

No functional change but makes previous commit easier verifiable
(independent of tab space setup).

* Call break; instead of setting pos2 to a magic value

This is in line with the following else clause

* Another cosmetic adjustment

Co-authored-by: Daniel Friesel <derf@finalrewind.org>
---
 src/imlib.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/src/imlib.c b/src/imlib.c
index 6f31e96..140e487 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -1183,23 +1183,23 @@ void feh_draw_exif(winwidget w)
 				if ( (buffer[pos] != '\n')
 				      && (buffer[pos] != '\0') )
 				{
-			    info_line[pos2] = buffer[pos];
-			  }
-			  else if ( buffer[pos] == '\0' )
-			  {
-			    pos = EXIF_MAX_DATA; /* all data seen */
-			    info_line[pos2] = '\0';
+					info_line[pos2] = buffer[pos];
+				}
+				else if ( buffer[pos] == '\0' )
+				{
+					pos = EXIF_MAX_DATA; /* all data seen */
+					info_line[pos2] = '\0';
+					break;
+				}
+				else
+				{
+					info_line[pos2] = '\0'; /* line finished, continue with next line*/
+					pos++;
+					break;
 				}
-			  else
-			  {
-			  	info_line[pos2] = '\0'; /* line finished, continue with next line*/
-
-			    pos++;
-			    break;
-			  }
 
-			   pos++;
-			   pos2++;
+				pos++;
+				pos2++;
 			}
 
 			gib_imlib_get_text_size(fn, info_line, NULL, &line_width,
-- 
GitLab