Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c306b55

Browse files
blueimpblueimp
committed
Validate IPTC segment offsets.
1 parent 76bc55d commit c306b55

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

js/load-image-iptc.js

+10-10
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,6 @@
5151
}
5252
return outstr
5353
}
54-
5554
var fieldValue, dataSize, segmentType
5655
var segmentStartPos = startOffset
5756
while (segmentStartPos < startOffset + sectionLength) {
@@ -61,12 +60,10 @@
6160
dataView.getUint8(segmentStartPos + 1) === 0x02
6261
) {
6362
segmentType = dataView.getUint8(segmentStartPos + 2)
64-
6563
// only store data for known tags
6664
if (segmentType in data.iptc.tags) {
6765
dataSize = dataView.getInt16(segmentStartPos + 3)
6866
fieldValue = getStringFromDB(dataView, segmentStartPos + 5, dataSize)
69-
7067
// Check if we already stored a value with this name
7168
if (data.iptc.hasOwnProperty(segmentType)) {
7269
// Value already stored with this name, create multivalue field
@@ -88,20 +85,18 @@
8885
if (options.disableIptc) {
8986
return
9087
}
91-
88+
var markerLength = offset + length
9289
// Found '8BIM<EOT><EOT>' ?
9390
var isFieldSegmentStart = function (dataView, offset) {
9491
return (
9592
dataView.getUint32(offset) === 0x3842494d &&
9693
dataView.getUint16(offset + 4) === 0x0404
9794
)
9895
}
99-
10096
// Hunt forward, looking for the correct IPTC block signature:
10197
// Reference: https://metacpan.org/pod/distribution/Image-MetaData-JPEG/lib/Image/MetaData/JPEG/Structures.pod#Structure-of-a-Photoshop-style-APP13-segment
102-
10398
// From https://github.com/exif-js/exif-js/blob/master/exif.js ~ line 474 on
104-
while (offset < offset + length) {
99+
while (offset + 8 < markerLength) {
105100
if (isFieldSegmentStart(dataView, offset)) {
106101
var nameHeaderLength = dataView.getUint8(offset + 7)
107102
if (nameHeaderLength % 2 !== 0) nameHeaderLength += 1
@@ -110,13 +105,18 @@
110105
// Always 4
111106
nameHeaderLength = 4
112107
}
113-
114108
var startOffset = offset + 8 + nameHeaderLength
109+
if (startOffset > markerLength) {
110+
console.log('Invalid IPTC data: Invalid segment offset.')
111+
break
112+
}
115113
var sectionLength = dataView.getUint16(offset + 6 + nameHeaderLength)
116-
114+
if (offset + sectionLength > markerLength) {
115+
console.log('Invalid IPTC data: Invalid segment size.')
116+
break
117+
}
117118
// Create the iptc object to store the tags:
118119
data.iptc = new loadImage.IptcMap()
119-
120120
// Parse the tags
121121
return loadImage.parseIptcTags(
122122
dataView,

0 commit comments

Comments
 (0)