diff options
| author | Sungsoo Lim <sungsoo@google.com> | 2016-07-20 10:37:20 +0900 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-08-01 19:12:55 -0700 |
| commit | 2f16b7702d30608778d165c2fb41c574f9ca1c68 (patch) | |
| tree | 5f7bbb7854e85bf47160e765eb878c5ef6cafab0 | |
| parent | a0628a05191a81f88f83077f0c1616aa91f5c0f8 (diff) | |
| download | jhead-nougat-cts-release.tar.gz | |
Fix possible out of bounds accessesandroid-cts-7.0_r9android-cts-7.0_r8android-cts-7.0_r7android-cts-7.0_r6android-cts-7.0_r5android-cts-7.0_r4android-cts-7.0_r33android-cts-7.0_r32android-cts-7.0_r31android-cts-7.0_r30android-cts-7.0_r3android-cts-7.0_r29android-cts-7.0_r28android-cts-7.0_r27android-cts-7.0_r26android-cts-7.0_r25android-cts-7.0_r24android-cts-7.0_r23android-cts-7.0_r22android-cts-7.0_r21android-cts-7.0_r20android-cts-7.0_r19android-cts-7.0_r18android-cts-7.0_r17android-cts-7.0_r16android-cts-7.0_r15android-cts-7.0_r14android-cts-7.0_r13android-cts-7.0_r12android-cts-7.0_r11android-cts-7.0_r10android-7.0.0_r9android-7.0.0_r8android-7.0.0_r7android-7.0.0_r6android-7.0.0_r5android-7.0.0_r4android-7.0.0_r36android-7.0.0_r35android-7.0.0_r34android-7.0.0_r33android-7.0.0_r32android-7.0.0_r31android-7.0.0_r30android-7.0.0_r3android-7.0.0_r29android-7.0.0_r28android-7.0.0_r27android-7.0.0_r24android-7.0.0_r21android-7.0.0_r19android-7.0.0_r17android-7.0.0_r15android-7.0.0_r14android-7.0.0_r13android-7.0.0_r12android-7.0.0_r11android-7.0.0_r10nougat-releasenougat-mr0.5-releasenougat-cts-releasenougat-bugfix-release
Bug: 30074856
Change-Id: I1a1387ed29d2e0d010b0d5d4bb3d29453a3a7666
(cherry picked from commit ee54e6ceb66e16b3c10c4a9fc8fbe5fff9110b62)
| -rw-r--r-- | gpsinfo.c | 2 | ||||
| -rw-r--r-- | makernote.c | 2 |
2 files changed, 2 insertions, 2 deletions
@@ -174,7 +174,7 @@ void ProcessGpsInfo(unsigned char * DirStart, int ByteCountUnused, unsigned char unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; diff --git a/makernote.c b/makernote.c index cf40c6b..514518d 100644 --- a/makernote.c +++ b/makernote.c @@ -62,7 +62,7 @@ void ProcessCanonMakerNoteDir(unsigned char * DirStart, unsigned char * OffsetBa unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |