diff options
author | Sungsoo Lim <sungsoo@google.com> | 2016-07-20 16:47:34 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-07-20 16:47:34 +0000 |
commit | 364ccf5071db8c62721ba5ac25765dcd45fcddb5 (patch) | |
tree | 8c436361f5c7926a2f8d8c34520ab5ae9eaced79 | |
parent | 2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278 (diff) | |
parent | 4c7c4297b5f0d2aeba4f9614522aff5ee7b28394 (diff) | |
download | jhead-364ccf5071db8c62721ba5ac25765dcd45fcddb5.tar.gz |
Fix possible out of bounds accesses am: ee54e6ceb6
am: 4c7c4297b5
Change-Id: I8ad3060e9c34fcb046d63165f97212ccdd8a44a2
-rw-r--r-- | gpsinfo.c | 2 | ||||
-rw-r--r-- | makernote.c | 2 |
2 files changed, 2 insertions, 2 deletions
@@ -174,7 +174,7 @@ void ProcessGpsInfo(unsigned char * DirStart, int ByteCountUnused, unsigned char unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; diff --git a/makernote.c b/makernote.c index 0be4df5..ae108ce 100644 --- a/makernote.c +++ b/makernote.c @@ -62,7 +62,7 @@ void ProcessCanonMakerNoteDir(unsigned char * DirStart, unsigned char * OffsetBa unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |