diff options
| author | Sungsoo Lim <sungsoo@google.com> | 2016-07-20 10:37:20 +0900 |
|---|---|---|
| committer | Feng Yu <feny@google.com> | 2016-07-21 17:58:29 +0000 |
| commit | e923f0b9e1d7db51f34bc2b62cf85bccdbe66ac7 (patch) | |
| tree | 7d5ebb66089de9bba339e8d830cf8a63cce766f8 | |
| parent | 3cb24f52286b7329cfa9d998b5c848d7c4cc04a4 (diff) | |
| download | jhead-e923f0b9e1d7db51f34bc2b62cf85bccdbe66ac7.tar.gz | |
Fix possible out of bounds accesses
Bug: 30074856
Change-Id: I1a1387ed29d2e0d010b0d5d4bb3d29453a3a7666
(cherry picked from commit ee54e6ceb66e16b3c10c4a9fc8fbe5fff9110b62)
(cherry picked from commit 78cc5b2401047d8c8ca77f633d8fa32c94e8e8f5)
| -rw-r--r-- | gpsinfo.c | 2 | ||||
| -rw-r--r-- | makernote.c | 2 |
2 files changed, 2 insertions, 2 deletions
@@ -174,7 +174,7 @@ void ProcessGpsInfo(unsigned char * DirStart, int ByteCountUnused, unsigned char unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; diff --git a/makernote.c b/makernote.c index cf40c6b..514518d 100644 --- a/makernote.c +++ b/makernote.c @@ -62,7 +62,7 @@ void ProcessCanonMakerNoteDir(unsigned char * DirStart, unsigned char * OffsetBa unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |