diff options
author | Ram Mohan <ram.mohan@ittiam.com> | 2023-12-27 11:36:02 +0530 |
---|---|---|
committer | Ram Mohan M <ram.mohan@ittiam.com> | 2024-01-01 20:09:01 +0530 |
commit | 683ff97c81c9db533095435b032acf50255f39f3 (patch) | |
tree | b854e56617055242cdd77f7b0625c7506472d638 /lib | |
parent | d72d3a69ed6209886bd217fce0b19084c6497f49 (diff) | |
download | libultrahdr-683ff97c81c9db533095435b032acf50255f39f3.tar.gz |
Perform boundary checks before parsing iccData
Bug: 317782344
Test: ultrahdr_app -m 1 -j ./poc
Diffstat (limited to 'lib')
-rw-r--r-- | lib/src/icc.cpp | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/src/icc.cpp b/lib/src/icc.cpp index b838660..0b4b341 100644 --- a/lib/src/icc.cpp +++ b/lib/src/icc.cpp @@ -633,6 +633,13 @@ ultrahdr_color_gamut IccHelper::readIccColorGamut(void* icc_data, size_t icc_siz size_t red_primary_offset = 0, green_primary_offset = 0, blue_primary_offset = 0; size_t red_primary_size = 0, green_primary_size = 0, blue_primary_size = 0; for (size_t tag_idx = 0; tag_idx < Endian_SwapBE32(header->tag_count); ++tag_idx) { + if (icc_size < kICCIdentifierSize + sizeof(ICCHeader) + ((tag_idx + 1) * kTagTableEntrySize)) { + ALOGE( + "Insufficient buffer size during icc parsing. tag index %zu, header %zu, tag size %zu, " + "icc size %zu", + tag_idx, kICCIdentifierSize + sizeof(ICCHeader), kTagTableEntrySize, icc_size); + return ULTRAHDR_COLORGAMUT_UNSPECIFIED; + } uint32_t* tag_entry_start = reinterpret_cast<uint32_t*>(icc_bytes + sizeof(ICCHeader) + tag_idx * kTagTableEntrySize); // first 4 bytes are the tag signature, next 4 bytes are the tag offset, |