libexif: Fix read buffer overflowandroid-9.0.0_r61 android-9.0.0_r60 android-9.0.0_r59 android-9.0.0_r58 android-9.0.0_r57 android-9.0.0_r56 security-pi-release

Make sure the number of bytes being copied from doesn't exceed the source buffer size. Test: testPocBug_148705132 Bug: 148705132 Change-Id: Ib0f8441f2d0d4ed33c324630a9400a8412209da7 (cherry picked from commit 127f882f67b38def9b5424987c32e21064f4d49c)
author: Shuzhen Wang <shuzhenwang@google.com> 2020-03-02 14:52:12 -0800
committer: Anis Assi <anisassi@google.com> 2020-03-12 13:40:17 -0700
commit: 2272fd1a98942957a99b7e71b3eff213298f9743 (patch)
tree: fa2a8865f8fc0b82b2e905fb84c9109d0093828c
parent: eeeee64a7922a7e33d8bc09f66a1a4e6c3e01596 (diff)
download: libexif-2272fd1a98942957a99b7e71b3eff213298f9743.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index 67df4db..b8324b8 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -295,7 +295,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e,
 	/* Write the data. Fill unneeded bytes with 0. Do not crash with
 	 * e->data is NULL */
 	if (e->data) {
-		memcpy (*d + 6 + doff, e->data, s);
+		unsigned int len = s;
+		if (e->size < s) len = e->size;
+		memcpy (*d + 6 + doff, e->data, len);
 	} else {
 		memset (*d + 6 + doff, 0, s);
 	}
author	Shuzhen Wang <shuzhenwang@google.com>	2020-03-02 14:52:12 -0800
committer	Anis Assi <anisassi@google.com>	2020-03-12 13:40:17 -0700
commit	2272fd1a98942957a99b7e71b3eff213298f9743 (patch)
tree	fa2a8865f8fc0b82b2e905fb84c9109d0093828c
parent	eeeee64a7922a7e33d8bc09f66a1a4e6c3e01596 (diff)
download	libexif-2272fd1a98942957a99b7e71b3eff213298f9743.tar.gz