Unverified Commit c188578f authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by GitHub
Browse files

Fix out of boundary access with exif (#617) 



* Fix out of boundary access

The while-loop is not finished when pos is set to EXIF_MAX_DATA.
Instead, the loop continues and therefore tries to access data outside
of the array.

This is triggered when compiled with exif=1 and asan:

$ feh --draw-exif image.jpg

* Fixed formatting

No functional change but makes previous commit easier verifiable
(independent of tab space setup).

* Call break; instead of setting pos2 to a magic value

This is in line with the following else clause

* Another cosmetic adjustment

Co-authored-by: default avatarDaniel Friesel <derf@finalrewind.org>
parent 87d9b7ed

src/imlib.c

+15 −15
Original line number Original line Diff line number Diff line
@@ -1183,23 +1183,23 @@ void feh_draw_exif(winwidget w) 
				if ( (buffer[pos] != '\n')

				if ( (buffer[pos] != '\n')

				      && (buffer[pos] != '\0') )

				      && (buffer[pos] != '\0') )

				{

				{

			    info_line[pos2] = buffer[pos];

					info_line[pos2] = buffer[pos];

			  }

				}

			  else if ( buffer[pos] == '\0' )

				else if ( buffer[pos] == '\0' )

			  {

				{

			    pos = EXIF_MAX_DATA; /* all data seen */

					pos = EXIF_MAX_DATA; /* all data seen */

			    info_line[pos2] = '\0';

					info_line[pos2] = '\0';

					break;

				}

				else

				{

					info_line[pos2] = '\0'; /* line finished, continue with next line*/

					pos++;

					break;

				}

				}

			  else

			  {

			  	info_line[pos2] = '\0'; /* line finished, continue with next line*/



			    pos++;

			    break;

			  }





			   pos++;

				pos++;

			   pos2++;

				pos2++;

			}

			}





			gib_imlib_get_text_size(fn, info_line, NULL, &line_width,

			gib_imlib_get_text_size(fn, info_line, NULL, &line_width,