From 0335ffc17f9b9a4831c242bb08ea92f605fde7a6 Mon Sep 17 00:00:00 2001 From: Shuzhen Wang Date: Mon, 2 Mar 2020 14:52:12 -0800 Subject: libexif: Fix read buffer overflow Make sure the number of bytes being copied from doesn't exceed the source buffer size. Test: testPocBug_148705132 Bug: 148705132 Change-Id: Ib0f8441f2d0d4ed33c324630a9400a8412209da7 (cherry picked from commit 127f882f67b38def9b5424987c32e21064f4d49c) --- libexif/exif-data.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libexif/exif-data.c b/libexif/exif-data.c index adfb512..b81b8ce 100644 --- a/libexif/exif-data.c +++ b/libexif/exif-data.c @@ -299,7 +299,9 @@ exif_data_save_data_entry (ExifData *data, ExifEntry *e, /* Write the data. Fill unneeded bytes with 0. Do not crash with * e->data is NULL */ if (e->data) { - memcpy (*d + 6 + doff, e->data, s); + unsigned int len = s; + if (e->size < s) len = e->size; + memcpy (*d + 6 + doff, e->data, len); } else { memset (*d + 6 + doff, 0, s); } -- cgit v1.2.3