diff options
author | Leon Scroggins III <scroggo@google.com> | 2018-02-22 22:25:38 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2018-02-22 22:25:38 +0000 |
commit | 0aa61f9e866945145bf3dc21c1255190dedb78ef (patch) | |
tree | 175281cbd0bb652b103bc16080579060ea1d2f1e | |
parent | e16b58ceab491a40e465062d136229e6a2d2a7a5 (diff) | |
parent | c0f877b592fb1a209230d1e5bf9093ef210010ef (diff) | |
download | piex-0aa61f9e866945145bf3dc21c1255190dedb78ef.tar.gz |
Fix heap buffer overflows in GetFullCropDimension in tiff_parser.cc am: f7fc905cff am: bfb129687dandroid-9.0.0_r47android-9.0.0_r46android-9.0.0_r45android-9.0.0_r44android-9.0.0_r43android-9.0.0_r42android-9.0.0_r41android-9.0.0_r40android-9.0.0_r39android-9.0.0_r38android-9.0.0_r37android-9.0.0_r36android-9.0.0_r35android-9.0.0_r34android-9.0.0_r33android-9.0.0_r32android-9.0.0_r31android-9.0.0_r30android-9.0.0_r22android-9.0.0_r21android-9.0.0_r20android-9.0.0_r19android-9.0.0_r16android-9.0.0_r12android-9.0.0_r11pie-qpr3-s1-releasepie-qpr3-releasepie-qpr3-b-releasepie-qpr2-releasepie-qpr1-s3-releasepie-qpr1-s2-releasepie-qpr1-s1-releasepie-qpr1-releasepie-dr1-releasepie-dr1-devpie-devpie-b4s4-releasepie-b4s4-dev
am: c0f877b592
Change-Id: I6d6dbf3c08771c0c1a7c7ca01cfe6498640eb7b4
-rw-r--r-- | src/tiff_parser.cc | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/src/tiff_parser.cc b/src/tiff_parser.cc index 24368e0..6bf3bb4 100644 --- a/src/tiff_parser.cc +++ b/src/tiff_parser.cc @@ -596,23 +596,41 @@ bool GetFullDimension32(const TiffDirectory& tiff_directory, bool GetFullCropDimension(const tiff_directory::TiffDirectory& tiff_directory, std::uint32_t* width, std::uint32_t* height) { - if (tiff_directory.Has(kExifTagDefaultCropSize)) { - std::vector<std::uint32_t> crop(2); - std::vector<Rational> crop_rational(2); - if (tiff_directory.Get(kExifTagDefaultCropSize, &crop)) { + if (!tiff_directory.Has(kExifTagDefaultCropSize)) { + // This doesn't look right to return true here, as we have not written + // anything to *width and *height. However, changing the return value here + // causes a whole bunch of tests to fail. + // TODO(timurrrr): Return false and fix the tests. + // In fact, this whole if() seems to be not needed, + // as tiff_directory(kExifTagDefaultCropSize) will return false below. + return true; + } + + std::vector<std::uint32_t> crop(2); + if (tiff_directory.Get(kExifTagDefaultCropSize, &crop)) { + if (crop.size() == 2 && crop[0] > 0 && crop[1] > 0) { *width = crop[0]; *height = crop[1]; - } else if (tiff_directory.Get(kExifTagDefaultCropSize, &crop_rational) && - crop_rational[0].denominator != 0 && - crop_rational[1].denominator != 0) { + return true; + } else { + return false; + } + } + + std::vector<Rational> crop_rational(2); + if (tiff_directory.Get(kExifTagDefaultCropSize, &crop_rational)) { + if (crop_rational.size() == 2 && crop_rational[0].numerator > 0 && + crop_rational[0].denominator > 0 && crop_rational[1].numerator > 0 && + crop_rational[1].denominator > 0) { *width = crop_rational[0].numerator / crop_rational[0].denominator; *height = crop_rational[1].numerator / crop_rational[1].denominator; + return true; } else { return false; } } - return true; + return false; } TiffParser::TiffParser(StreamInterface* stream) : stream_(stream) {} |