diff options
author | Marco Nelissen <marcone@google.com> | 2016-06-10 22:01:27 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2016-06-10 22:01:27 +0000 |
commit | a0628a05191a81f88f83077f0c1616aa91f5c0f8 (patch) | |
tree | c5ba965b855e3850cf96912eaf8851f25c19816c | |
parent | 2cbe01bf1d96c5770329ed1eaee7251400e44a36 (diff) | |
parent | 2a4c12f5e5808e309b9ba04fe8b1539debf466d1 (diff) | |
download | jhead-a0628a05191a81f88f83077f0c1616aa91f5c0f8.tar.gz |
Fix possible out of bounds access am: 751b4eba25 am: b201f04d8c am: 2d49e2de6e am: a3c15ad42d am: 6c2d0e45b5 am: dbefc1dc4a am: 854fedfa6b am: 2ea3783c81 am: e3574d919b am: 3daffc0fbaandroid-cts-7.0_r2android-cts-7.0_r1android-7.0.0_r1nougat-dev
am: 2a4c12f5e5
Change-Id: I4638fa9d92c70bf0713d73b74671aa3591211a9f
-rw-r--r-- | exif.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase, unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x", Tag,0); continue; |