graphics/kdegraphics4/files/patch-post-3.5.5-kdegraphics.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

--- kfile-plugins/jpeg/exif.h
+++ kfile-plugins/jpeg/exif.h
@@ -72,7 +72,8 @@
     int Get32s(void * Long);
     unsigned Get32u(void * Long);
     double ConvertAnyFormat(void * ValuePtr, int Format);
-    void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned ExifLength);
+    void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned ExifLength,
+            unsigned NestingLevel);
     void process_COM (const uchar * Data, int length);
     void process_SOFn (const uchar * Data, int marker);
     int Get16m(const void * Short);
--- kfile-plugins/jpeg/exif.cpp
+++ kfile-plugins/jpeg/exif.cpp
@@ -446,7 +446,7 @@
 //--------------------------------------------------------------------------
 // Process one of the nested EXIF directories.
 //--------------------------------------------------------------------------
-void ExifData::ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned ExifLength)
+void ExifData::ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned ExifLength, unsigned NestingLevel)
 {
     int de;
     int a;
@@ -454,6 +454,9 @@
     unsigned ThumbnailOffset = 0;
     unsigned ThumbnailSize = 0;
 
+    if ( NestingLevel > 4)
+        throw FatalError("Maximum directory nesting exceeded (corrupt exif header)");
+
     NumDirEntries = Get16u(DirStart);
     #define DIR_ENTRY_ADDR(Start, Entry) (Start+2+12*(Entry))
 
@@ -476,7 +479,7 @@
     for (de=0;de<NumDirEntries;de++){
         int Tag, Format, Components;
         unsigned char * ValuePtr;
-        int ByteCount;
+        unsigned ByteCount;
         char * DirEntry;
         DirEntry = (char *)DIR_ENTRY_ADDR(DirStart, de);
 
@@ -489,6 +492,11 @@
             throw FatalError("Illegal format code in EXIF dir");
         }
 
+        if ((unsigned)Components > 0x10000) {
+            throw FatalError("Illegal number of components for tag");
+            continue;
+        }
+
         ByteCount = Components * BytesPerFormat[Format];
 
         if (ByteCount > 4){
@@ -517,11 +525,11 @@
         switch(Tag){
 
             case TAG_MAKE:
-                ExifData::CameraMake = QString((char*)ValuePtr);
+                ExifData::CameraMake = QString::fromLatin1((const char*)ValuePtr, 31);
                 break;
 
             case TAG_MODEL:
-                ExifData::CameraModel = QString((char*)ValuePtr);
+                ExifData::CameraModel = QString::fromLatin1((const char*)ValuePtr, 39);
 		break;
 
             case TAG_ORIENTATION:
@@ -529,7 +537,7 @@
                 break;
 
             case TAG_DATETIME_ORIGINAL:
-		DateTime = QString((char*)ValuePtr);
+		DateTime = QString::fromLatin1((const char*)ValuePtr, 19);
                 break;
 
             case TAG_USERCOMMENT:
@@ -550,14 +558,12 @@
                         int c;
                         c = (ValuePtr)[a];
                         if (c != '\0' && c != ' '){
-                            //strncpy(ImageInfo.Comments, (const char*)(a+ValuePtr), 199);
-                            UserComment.sprintf("%s", (const char*)(a+ValuePtr));
+                            UserComment = QString::fromLatin1((const char*)(a+ValuePtr), 199);
                             break;
                         }
                     }
                 }else{
-                    //strncpy(ImageInfo.Comments, (const char*)ValuePtr, 199);
-                    UserComment.sprintf("%s", (const char*)ValuePtr);
+                    UserComment = QString::fromLatin1((const char*)ValuePtr, 199);
                 }
                 break;
 
@@ -676,10 +682,10 @@
         if (Tag == TAG_EXIF_OFFSET || Tag == TAG_INTEROP_OFFSET){
             unsigned char * SubdirStart;
             SubdirStart = OffsetBase + Get32u(ValuePtr);
-            if (SubdirStart < OffsetBase || SubdirStart > OffsetBase+ExifLength){
+            if (SubdirStart <= OffsetBase || SubdirStart >= OffsetBase+ExifLength){
                 throw FatalError("Illegal subdirectory link");
             }
-            ProcessExifDir(SubdirStart, OffsetBase, ExifLength);
+            ProcessExifDir(SubdirStart, OffsetBase, ExifLength, NestingLevel+1);
             continue;
         }
     }
@@ -709,7 +715,7 @@
                     }
                 }else{
                     if (SubdirStart <= OffsetBase+ExifLength){
-                        ProcessExifDir(SubdirStart, OffsetBase, ExifLength);
+                        ProcessExifDir(SubdirStart, OffsetBase, ExifLength, NestingLevel+1);
                     }
                 }
             }
@@ -719,7 +725,7 @@
     }
 
     if (ThumbnailSize && ThumbnailOffset){
-        if (ThumbnailSize + ThumbnailOffset <= ExifLength){
+        if (ThumbnailSize + ThumbnailOffset < ExifLength){
             // The thumbnail pointer appears to be valid.  Store it.
 	    Thumbnail.loadFromData(OffsetBase + ThumbnailOffset, ThumbnailSize, "JPEG");
         }
@@ -810,7 +816,7 @@
     LastExifRefd = CharBuf;
 
     // First directory starts 16 bytes in.  Offsets start at 8 bytes in.
-    ProcessExifDir(CharBuf+16, CharBuf+8, length-6);
+    ProcessExifDir(CharBuf+16, CharBuf+8, length-6, 0);
 
     // This is how far the interesting (non thumbnail) part of the exif went.
     ExifSettingsLength = LastExifRefd - CharBuf;