From c188578f3f807c967b54b73b793399f0e23f54b3 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Fri, 23 Jul 2021 20:17:50 +0200 Subject: Fix out of boundary access with exif (#617) * Fix out of boundary access The while-loop is not finished when pos is set to EXIF_MAX_DATA. Instead, the loop continues and therefore tries to access data outside of the array. This is triggered when compiled with exif=1 and asan: $ feh --draw-exif image.jpg * Fixed formatting No functional change but makes previous commit easier verifiable (independent of tab space setup). * Call break; instead of setting pos2 to a magic value This is in line with the following else clause * Another cosmetic adjustment Co-authored-by: Daniel Friesel --- src/imlib.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/imlib.c b/src/imlib.c index 6f31e96..140e487 100644 --- a/src/imlib.c +++ b/src/imlib.c @@ -1183,23 +1183,23 @@ void feh_draw_exif(winwidget w) if ( (buffer[pos] != '\n') && (buffer[pos] != '\0') ) { - info_line[pos2] = buffer[pos]; - } - else if ( buffer[pos] == '\0' ) - { - pos = EXIF_MAX_DATA; /* all data seen */ - info_line[pos2] = '\0'; + info_line[pos2] = buffer[pos]; + } + else if ( buffer[pos] == '\0' ) + { + pos = EXIF_MAX_DATA; /* all data seen */ + info_line[pos2] = '\0'; + break; + } + else + { + info_line[pos2] = '\0'; /* line finished, continue with next line*/ + pos++; + break; } - else - { - info_line[pos2] = '\0'; /* line finished, continue with next line*/ - - pos++; - break; - } - pos++; - pos2++; + pos++; + pos2++; } gib_imlib_get_text_size(fn, info_line, NULL, &line_width, -- cgit v1.2.3