Fix possible out of bounds accessandroid-6.0.1_r77 marshmallow-mr3-release

Bug: 28868315 Change-Id: I2b416c662f9ad7f9b3c6cf973a39c6693c66775a (cherry picked from commit 751b4eba25aa2e2a31232c9c25ceb6dbddfb1d93)
author: Marco Nelissen <marcone@google.com> 2016-06-09 14:07:50 -0700
committer: gitbuildkicker <android-build@google.com> 2016-11-03 12:16:55 -0700
commit: 052d982178ee20a33f1691e5f126ecd897cc3954 (patch)
tree: 7d5ebb66089de9bba339e8d830cf8a63cce766f8
parent: a858e84f1d84bae3d0767323a4d7ec7cd3d516f2 (diff)
download: jhead-marshmallow-mr3-release.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/exif.c b/exif.c
index 8dfdaf1..0abfa1d 100644
--- a/exif.c
+++ b/exif.c
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase,
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;
author	Marco Nelissen <marcone@google.com>	2016-06-09 14:07:50 -0700
committer	gitbuildkicker <android-build@google.com>	2016-11-03 12:16:55 -0700
commit	052d982178ee20a33f1691e5f126ecd897cc3954 (patch)
tree	7d5ebb66089de9bba339e8d830cf8a63cce766f8
parent	a858e84f1d84bae3d0767323a4d7ec7cd3d516f2 (diff)
download	jhead-marshmallow-mr3-release.tar.gz