From: Ludovic Rousseau Date: Wed Sep 5 15:32:00 CEST 2018 Subject: Fix heap buffer overflow Bug-Debian: http://bugs.debian.org/907925 Description: Fix CVE-2018-17088 --- a/gpsinfo.c +++ b/gpsinfo.c @@ -4,6 +4,7 @@ // Matthias Wandel, Dec 1999 - Dec 2002 //-------------------------------------------------------------------------- #include "jhead.h" +#include #define MAX_GPS_TAG 0x1e @@ -101,7 +102,7 @@ unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for Exif gps tag %04x", Tag,0); continue;