diff options
author | Florian Kriener <floriank@google.com> | 2016-03-08 13:13:07 +0100 |
---|---|---|
committer | Yujie Qin <yujieqin@google.com> | 2016-03-17 14:41:05 +0100 |
commit | 0420a20d94d620f471e47cf3f8c40facca5de58e (patch) | |
tree | 51301805e65b2557b6d6e69a63438ae475d225b7 | |
parent | 0d8a86b53b40b3e8e3b7392e7bf5c51dbd327101 (diff) | |
download | dng_sdk-0420a20d94d620f471e47cf3f8c40facca5de58e.tar.gz |
Integrate integer overflow fixes from security branchandroid-cts_7.1_r1android-cts-7.1_r9android-cts-7.1_r8android-cts-7.1_r7android-cts-7.1_r6android-cts-7.1_r5android-cts-7.1_r4android-cts-7.1_r3android-cts-7.1_r29android-cts-7.1_r28android-cts-7.1_r27android-cts-7.1_r26android-cts-7.1_r25android-cts-7.1_r24android-cts-7.1_r23android-cts-7.1_r22android-cts-7.1_r21android-cts-7.1_r20android-cts-7.1_r2android-cts-7.1_r19android-cts-7.1_r18android-cts-7.1_r17android-cts-7.1_r16android-cts-7.1_r15android-cts-7.1_r14android-cts-7.1_r13android-cts-7.1_r12android-cts-7.1_r11android-cts-7.1_r10android-cts-7.1_r1android-7.1.2_r9android-7.1.2_r8android-7.1.2_r6android-7.1.2_r5android-7.1.2_r4android-7.1.2_r3android-7.1.2_r2android-7.1.2_r17android-7.1.2_r16android-7.1.2_r15android-7.1.2_r14android-7.1.2_r13android-7.1.2_r12android-7.1.2_r11android-7.1.2_r10android-7.1.2_r1android-7.1.1_r9android-7.1.1_r8android-7.1.1_r7android-7.1.1_r6android-7.1.1_r43android-7.1.1_r42android-7.1.1_r41android-7.1.1_r40android-7.1.1_r4android-7.1.1_r39android-7.1.1_r38android-7.1.1_r35android-7.1.1_r33android-7.1.1_r32android-7.1.1_r31android-7.1.1_r3android-7.1.1_r28android-7.1.1_r27android-7.1.1_r26android-7.1.1_r25android-7.1.1_r24android-7.1.1_r23android-7.1.1_r22android-7.1.1_r21android-7.1.1_r20android-7.1.1_r2android-7.1.1_r17android-7.1.1_r16android-7.1.1_r15android-7.1.1_r14android-7.1.1_r13android-7.1.1_r12android-7.1.1_r11android-7.1.1_r10android-7.1.1_r1android-7.1.0_r7android-7.1.0_r6android-7.1.0_r5android-7.1.0_r4android-7.1.0_r3android-7.1.0_r2android-7.1.0_r1nougat-mr2-devnougat-mr1.4-releasenougat-mr1.3-releasenougat-mr1.2-releasenougat-mr1-releasenougat-mr1-devnougat-mr1-cts-releasenougat-dr1-releasenougat-dev
cherry-pick of 1754202ed3e25b98179a4f377f0bdd605d9a157a for nyc-dev.
Bug: 26535130
Change-Id: I9a97903cb9f79131b426736351f0d0a0060294e5
-rw-r--r-- | source/dng_info.cpp | 10 | ||||
-rw-r--r-- | source/dng_memory.h | 1 | ||||
-rw-r--r-- | source/dng_misc_opcodes.cpp | 7 | ||||
-rw-r--r-- | source/dng_safe_arithmetic.cpp | 15 | ||||
-rw-r--r-- | source/dng_safe_arithmetic.h | 5 | ||||
-rw-r--r-- | source/dng_shared.cpp | 12 | ||||
-rw-r--r-- | source/dng_stream.cpp | 4 | ||||
-rw-r--r-- | source/dng_string.cpp | 28 |
8 files changed, 41 insertions, 41 deletions
diff --git a/source/dng_info.cpp b/source/dng_info.cpp index ed87692..5b742aa 100644 --- a/source/dng_info.cpp +++ b/source/dng_info.cpp @@ -1501,10 +1501,11 @@ void dng_info::ParseDNGPrivateData (dng_host &host, uint32 section_offset = 6; - while (section_offset + 8 < fShared->fDNGPrivateDataCount) + while (SafeUint32Add(section_offset, 8) < fShared->fDNGPrivateDataCount) { - stream.SetReadPosition (fShared->fDNGPrivateDataOffset + section_offset); + stream.SetReadPosition (SafeUint64Add(fShared->fDNGPrivateDataOffset, + section_offset)); uint32 section_key = stream.Get_uint32 (); uint32 section_count = stream.Get_uint32 (); @@ -1867,11 +1868,12 @@ void dng_info::ParseDNGPrivateData (dng_host &host, } - section_offset += 8 + section_count; + section_offset = SafeUint32Add(section_offset, 8); + section_offset = SafeUint32Add(section_offset, section_count); if (section_offset & 1) { - section_offset++; + section_offset = SafeUint32Add(section_offset, 1); } } diff --git a/source/dng_memory.h b/source/dng_memory.h index 3966106..05e6f2b 100644 --- a/source/dng_memory.h +++ b/source/dng_memory.h @@ -552,6 +552,7 @@ class dng_std_allocator // Default implementations of default constructor and copy constructor. dng_std_allocator () = default; dng_std_allocator (const dng_std_allocator&) = default; + template<typename U> dng_std_allocator (const dng_std_allocator<U>&) {} T* allocate (size_t n) { diff --git a/source/dng_misc_opcodes.cpp b/source/dng_misc_opcodes.cpp index 5a6fa82..38297a0 100644 --- a/source/dng_misc_opcodes.cpp +++ b/source/dng_misc_opcodes.cpp @@ -293,7 +293,10 @@ dng_opcode_MapTable::dng_opcode_MapTable (dng_host &host, fCount = stream.Get_uint32 (); - if (dataSize != dng_area_spec::kDataSize + 4 + fCount * 2) + uint32 requiredSize = SafeUint32Mult(fCount, 2); + requiredSize = SafeUint32Add(requiredSize, dng_area_spec::kDataSize); + requiredSize = SafeUint32Add(requiredSize, 4); + if (dataSize != requiredSize) { ThrowBadFormat (); } @@ -591,7 +594,7 @@ uint32 dng_opcode_MapPolynomial::BufferPixelType (uint32 imagePixelType) for (uint32 j = 0; j <= kMaxDegree; j++) { - fCoefficient32 [j] = (real32) (fCoefficient [j] * factor32); + fCoefficient32 [j] = ConvertDoubleToFloat(fCoefficient [j] * factor32); factor32 *= scale32; diff --git a/source/dng_safe_arithmetic.cpp b/source/dng_safe_arithmetic.cpp index 96eaec8..5771861 100644 --- a/source/dng_safe_arithmetic.cpp +++ b/source/dng_safe_arithmetic.cpp @@ -1,5 +1,6 @@ #include "dng_safe_arithmetic.h" +#include <cmath> #include <limits> #include "dng_exceptions.h" @@ -295,3 +296,17 @@ std::uint32_t ConvertDoubleToUint32(double val) { abort(); // Never reached. } } + +float ConvertDoubleToFloat(double val) { + const double kMax = std::numeric_limits<float>::max(); + if (val > kMax) { + return std::numeric_limits<float>::infinity(); + } else if (val < -kMax) { + return -std::numeric_limits<float>::infinity(); + } else { + // The cases that end up here are: + // - values in [-kMax, kMax] + // - NaN (because it always compares false) + return static_cast<float>(val); + } +} diff --git a/source/dng_safe_arithmetic.h b/source/dng_safe_arithmetic.h index 2535276..b229dc4 100644 --- a/source/dng_safe_arithmetic.h +++ b/source/dng_safe_arithmetic.h @@ -222,4 +222,9 @@ static void ConvertUnsigned(TSrc src, TDest *dest) { std::int32_t ConvertDoubleToInt32(double val); std::uint32_t ConvertDoubleToUint32(double val); +// Returns the result of converting val to float. If val is outside of +// [-FLT_MAX, FLT_MAX], -infinity and infinity is returned respectively. NaN is +// returned as NaN. +float ConvertDoubleToFloat(double val); + #endif // __dng_safe_arithmetic__ diff --git a/source/dng_shared.cpp b/source/dng_shared.cpp index 3ff40a4..4b00d24 100644 --- a/source/dng_shared.cpp +++ b/source/dng_shared.cpp @@ -640,9 +640,8 @@ bool dng_camera_profile_info::ParseTag (dng_stream &stream, if (!skipSat0) { - if (!CheckTagCount (parentCode, tagCode, tagCount, fProfileHues * - fProfileSats * - fProfileVals * 3)) + if (!CheckTagCount (parentCode, tagCode, tagCount, + SafeUint32Mult(fProfileHues, fProfileSats, fProfileVals, 3))) return false; } @@ -763,9 +762,10 @@ bool dng_camera_profile_info::ParseTag (dng_stream &stream, if (!skipSat0) { - if (!CheckTagCount (parentCode, tagCode, tagCount, fLookTableHues * - fLookTableSats * - fLookTableVals * 3)) + if (!CheckTagCount (parentCode, tagCode, tagCount, + SafeUint32Mult(fLookTableHues, + fLookTableSats, + fLookTableVals, 3))) return false; } diff --git a/source/dng_stream.cpp b/source/dng_stream.cpp index d94a5c7..8b8fa5a 100644 --- a/source/dng_stream.cpp +++ b/source/dng_stream.cpp @@ -850,7 +850,7 @@ int32 dng_stream::TagValue_int32 (uint32 tagType) if (x < -2147483648.0) x = -2147483648.0; - return (int32) (x - 0.5); + return ConvertDoubleToInt32(x - 0.5); } @@ -860,7 +860,7 @@ int32 dng_stream::TagValue_int32 (uint32 tagType) if (x > 2147483647.0) x = 2147483647.0; - return (int32) (x + 0.5); + return ConvertDoubleToInt32(x + 0.5); } diff --git a/source/dng_string.cpp b/source/dng_string.cpp index 60e7d74..13fc438 100644 --- a/source/dng_string.cpp +++ b/source/dng_string.cpp @@ -923,7 +923,7 @@ uint32 dng_string::DecodeUTF8 (const char *&s, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, - 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,4,4,4,4,4,4,4,4,5,5,5,5,6,6,0,0 + 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,4,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0 }; if (isValid) @@ -1023,32 +1023,6 @@ uint32 dng_string::DecodeUTF8 (const char *&s, break; } - - case 5: - { - - aChar = ((((((((aChar << 6) + nBuf [1]) - << 6) + nBuf [2]) - << 6) + nBuf [3]) - << 6) + nBuf [4]) - (uint32) 0xFA082080UL; - - break; - - } - - case 6: - { - - aChar = ((((((((((aChar << 6) + nBuf [1]) - << 6) + nBuf [2]) - << 6) + nBuf [3]) - << 6) + nBuf [4]) - << 6) + nBuf [5]) - (uint32) 0x82082080UL; - - break; - - } - } if (aChar < 0x7F || aChar > 0x0010FFFF) |