diff options
author | Marco Nelissen <marcone@google.com> | 2016-06-10 21:31:12 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-06-10 21:31:12 +0000 |
commit | a3c15ad42d2a54afd18c2683a0a1b0c80524a6c0 (patch) | |
tree | 02cce0896b530595982270ec0dfc3163c65a7321 | |
parent | afe9f55ee6ba3eaee02e7b13809a534ebe98d34a (diff) | |
parent | 2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278 (diff) | |
download | jhead-a3c15ad42d2a54afd18c2683a0a1b0c80524a6c0.tar.gz |
Fix possible out of bounds access am: 751b4eba25 am: b201f04d8c
am: 2d49e2de6e
Change-Id: Ie0b97678f3c3281c52ab8cce5447e07f45b4c6c9
-rw-r--r-- | exif.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |