Stack corruption in GetEXIFProperty function

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
cs_rol
Posts: 22
Joined: 2007-01-16T04:40:08-07:00

Stack corruption in GetEXIFProperty function

Post by cs_rol »

Visual studio memory guard complained about corruption of the stack near variable 'buffer'
I had a closer look a the code and figured out it was right:

the macros EXIFMultipleValues and EXIFMultipleFractions do write on index -2 under some cirumstances:

Code: Select all

 property.c  
728	#define EXIFMultipleValues(size, format, arg) \
729	{ \
730	    long component; \
731	    size_t used_space; \
732	    unsigned char *p1; \
733	    used_space=0; \
734	    p1=p; \
735	    for (component = 0; component < components; component++) \
736	    { \
737	       used_space+=FormatMagickString(buffer+used_space, \
738	          MaxTextExtent-used_space,format", ",arg); \
739	       if (used_space >= MaxTextExtent - 1) \
740	          used_space=MaxTextExtent-1; \
741	       p1+=size; \
742	    } \
743	    buffer[used_space-2]='\0'; \
744	    value=AcquireString(buffer); \
745	}
if components is somehow 0, in line 743 buffer[-2] gets overwritten (the same is in line 762)

greets!
Top
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Stack corruption in GetEXIFProperty function

Post by magick »

We can reproduce the problem you posted and have a patch in ImageMagick 6.5.2-5 Beta available sometime tomorrow. Thanks.
Top
Post Reply

Return to “Bugs”