From 1b08dc2917b5d5972a3f87be3e9b76a4f3398d8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= Date: Mon, 14 Aug 2017 23:57:51 -0400 Subject: [PATCH 1/5] Bug 102151 - RIFF: fix an infinite loop cause by an overflow --- source/XMPFiles/FormatSupport/RIFF.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/XMPFiles/FormatSupport/RIFF.cpp b/source/XMPFiles/FormatSupport/RIFF.cpp index 3992edd..00f67e5 100644 --- a/source/XMPFiles/FormatSupport/RIFF.cpp +++ b/source/XMPFiles/FormatSupport/RIFF.cpp @@ -155,7 +155,8 @@ Chunk::Chunk( ContainerChunk* parent, RIFF_MetaHandler* handler, bool skip, Chun this->oldPos = LFA_Tell( file ); this->id = LFA_ReadUns32_LE( file ); - this->oldSize = LFA_ReadUns32_LE( file ) + 8; + this->oldSize = LFA_ReadUns32_LE( file ); + this->oldSize += 8; // Make sure the size is within expected bounds. XMP_Int64 chunkEnd = this->oldPos + this->oldSize; -- 2.17.2