diff options
Diffstat (limited to 'source/fitz')
-rw-r--r-- | source/fitz/load-jpeg.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/source/fitz/load-jpeg.c b/source/fitz/load-jpeg.c index 96c82ebd..2603ce7d 100644 --- a/source/fitz/load-jpeg.c +++ b/source/fitz/load-jpeg.c @@ -133,7 +133,7 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int return 0; offset = read_value(data + 10, 4, is_big_endian) + 6; - if (offset < 14 || offset + 2 > marker->data_length) + if (offset < 14 || offset > marker->data_length - 2) return 0; ifd_len = read_value(data + offset, 2, is_big_endian); for (offset += 2; ifd_len > 0 && offset + 12 < marker->data_length; ifd_len--, offset += 12) @@ -145,11 +145,11 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int switch (tag) { case 0x11A: - if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length) + if (type == 5 && value_off > offset && value_off <= marker->data_length - 8) x_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian); break; case 0x11B: - if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length) + if (type == 5 && value_off > offset && value_off <= marker->data_length - 8) y_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian); break; case 0x128: @@ -197,9 +197,9 @@ static int extract_app13_resolution(jpeg_saved_marker_ptr marker, int *xres, int int value_off = 11 + read_value(data + 6, 2, 1); if (value_off % 2 == 1) value_off++; - if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && data + value_off <= data_end) + if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && value_off <= data_end - data) data_size = read_value(data + value_off - 4, 4, 1); - if (data_size < 0 || data + value_off + data_size > data_end) + if (data_size < 0 || data_size > data_end - data - value_off) return 0; if (tag == 0x3ED && data_size == 16) { |