Fix possible out of bounds access am: 751b4eba25 am: b201f04d8c am: 2d49e2de6e am: a3c15ad42d am: 6c2d0e45b5 am: dbefc1dc4a am: 854fedfa6b am: 2ea3783c81 am: e3574d919b am: 3daffc0fba am: 2a4c12f5e5

am: a0628a0519 Change-Id: Iaf24ca864ac1cbf325c18bec4ea851f74e05fa1f
author: Marco Nelissen <marcone@google.com> 2016-06-10 22:06:29 +0000
committer: android-build-merger <android-build-merger@google.com> 2016-06-10 22:06:29 +0000
commit: b78d1acfe297df558a0ddf7b47f1e1641e7eb4bd (patch)
tree: c5ba965b855e3850cf96912eaf8851f25c19816c
parent: 2cbe01bf1d96c5770329ed1eaee7251400e44a36 (diff)
parent: a0628a05191a81f88f83077f0c1616aa91f5c0f8 (diff)
download: jhead-b78d1acfe297df558a0ddf7b47f1e1641e7eb4bd.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/exif.c b/exif.c
index 55491fb..ffe9581 100644
--- a/exif.c
+++ b/exif.c
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase,
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;
author	Marco Nelissen <marcone@google.com>	2016-06-10 22:06:29 +0000
committer	android-build-merger <android-build-merger@google.com>	2016-06-10 22:06:29 +0000
commit	b78d1acfe297df558a0ddf7b47f1e1641e7eb4bd (patch)
tree	c5ba965b855e3850cf96912eaf8851f25c19816c
parent	2cbe01bf1d96c5770329ed1eaee7251400e44a36 (diff)
parent	a0628a05191a81f88f83077f0c1616aa91f5c0f8 (diff)
download	jhead-b78d1acfe297df558a0ddf7b47f1e1641e7eb4bd.tar.gz