diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-10 23:08:14 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-10 23:08:14 +0000 |
commit | daf32ac4b7d4252891c467bb91ab0f17afe3ca1e (patch) | |
tree | 12149b7c2a8d95ed6f125244e277c4991e4c7d68 | |
parent | 1a6756b78ad1c7fca57cb8521081fc01181e8f83 (diff) | |
parent | ff237a0c1a223a8dac0dc7e056b7b5c3b5d91709 (diff) | |
download | libexif-android10-d4-s1-release.tar.gz |
Snap for 6282349 from ff237a0c1a223a8dac0dc7e056b7b5c3b5d91709 to qt-d4-releaseandroid-10.0.0_r45android-10.0.0_r44android-10.0.0_r43android-10.0.0_r42android10-d4-s1-releaseandroid10-d4-release
Change-Id: Ib0c1f0331fdcb88d15e8cb7a149c70cdba822ab6
-rw-r--r-- | libexif/exif-data.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/libexif/exif-data.c b/libexif/exif-data.c index adfb512..80d9346 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -39,6 +39,7 @@ #include <stdlib.h> #include <stdio.h> #include <string.h> +#include <limits.h> #undef JPEG_MARKER_SOI #define JPEG_MARKER_SOI 0xd8 @@ -299,7 +300,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, /* Write the data. Fill unneeded bytes with 0. Do not crash with * e->data is NULL */ if (e->data) { - memcpy (*d + 6 + doff, e->data, s); + unsigned int len = s; + if (e->size < s) len = e->size; + memcpy (*d + 6 + doff, e->data, len); } else { memset (*d + 6 + doff, 0, s); } @@ -383,9 +386,9 @@ exif_data_load_data_content (ExifData *data, ExifIfd ifd, } /* Read the number of entries */ - if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) { + if ((offset > UINT_MAX - 2) || (offset + 2 > ds)) { exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData", - "Tag data past end of buffer (%u > %u)", offset+2, ds); + "Tag data past end of buffer (%u + 2 > %u)", offset, ds); return; } n = exif_get_short (d + offset, data->priv->order); |