diff options
author | Sungsoo Lim <sungsoo@google.com> | 2016-07-21 15:23:20 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-07-21 15:23:20 +0000 |
commit | 0f569b3fbde23b5010729ad848322329aacef28a (patch) | |
tree | 5f7bbb7854e85bf47160e765eb878c5ef6cafab0 | |
parent | a0628a05191a81f88f83077f0c1616aa91f5c0f8 (diff) | |
parent | 1583b768effff71a91a3a358a1e051a460bc3635 (diff) | |
download | jhead-0f569b3fbde23b5010729ad848322329aacef28a.tar.gz |
Fix possible out of bounds accesses am: ee54e6ceb6 am: 4c7c4297b5 am: 364ccf5071 am: fb76bf3245 am: 1a484d2270 am: d98576d450 am: de4cdf8758 am: d3d573ee65 am: f3d69fbae8 am: edad75e21a
am: 1583b768ef
Change-Id: I159c6089c985acc9cc03363d7cb6714a22f8aa5d
-rw-r--r-- | gpsinfo.c | 2 | ||||
-rw-r--r-- | makernote.c | 2 |
2 files changed, 2 insertions, 2 deletions
@@ -174,7 +174,7 @@ void ProcessGpsInfo(unsigned char * DirStart, int ByteCountUnused, unsigned char unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; diff --git a/makernote.c b/makernote.c index cf40c6b..514518d 100644 --- a/makernote.c +++ b/makernote.c @@ -62,7 +62,7 @@ void ProcessCanonMakerNoteDir(unsigned char * DirStart, unsigned char * OffsetBa unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |