diff options
author | Shuzhen Wang <shuzhenwang@google.com> | 2020-03-02 14:52:12 -0800 |
---|---|---|
committer | Anis Assi <anisassi@google.com> | 2020-03-12 13:40:17 -0700 |
commit | 2272fd1a98942957a99b7e71b3eff213298f9743 (patch) | |
tree | fa2a8865f8fc0b82b2e905fb84c9109d0093828c | |
parent | eeeee64a7922a7e33d8bc09f66a1a4e6c3e01596 (diff) | |
download | libexif-2272fd1a98942957a99b7e71b3eff213298f9743.tar.gz |
libexif: Fix read buffer overflowandroid-9.0.0_r61android-9.0.0_r60android-9.0.0_r59android-9.0.0_r58android-9.0.0_r57android-9.0.0_r56security-pi-release
Make sure the number of bytes being copied from doesn't exceed the
source buffer size.
Test: testPocBug_148705132
Bug: 148705132
Change-Id: Ib0f8441f2d0d4ed33c324630a9400a8412209da7
(cherry picked from commit 127f882f67b38def9b5424987c32e21064f4d49c)
-rw-r--r-- | libexif/exif-data.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libexif/exif-data.c b/libexif/exif-data.c index 67df4db..b8324b8 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -295,7 +295,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, /* Write the data. Fill unneeded bytes with 0. Do not crash with * e->data is NULL */ if (e->data) { - memcpy (*d + 6 + doff, e->data, s); + unsigned int len = s; + if (e->size < s) len = e->size; + memcpy (*d + 6 + doff, e->data, len); } else { memset (*d + 6 + doff, 0, s); } |