diff options
| author | Marco Nelissen <marcone@google.com> | 2016-06-10 21:27:47 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2016-06-10 21:27:47 +0000 |
| commit | 2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278 (patch) | |
| tree | 6dd0e64c7a364aa4232838e813dab0e4885ad8d5 | |
| parent | acbfc9c1c7e1a84b0db4dc5bc3d5346b6c55c473 (diff) | |
| parent | b201f04d8c8b8235b2ab8925a45175c96c3943f3 (diff) | |
| download | jhead-2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278.tar.gz | |
Fix possible out of bounds access am: 751b4eba25
am: b201f04d8c
Change-Id: I667443e81e796f1df317c1f9c98a19c2fb1da8ac
| -rw-r--r-- | exif.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |