Added some more size checks to ptp_unpack_OPL to avoid crashes on too short data (AFL)

1 files changed, 12 insertions, 2 deletions

diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
index 2e1d8e6b5..a36fb8b6d 100644
--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
@@ -1342,24 +1342,32 @@ _compare_func(const void* x, const void *y) {
 static inline int
 ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops, unsigned int len)
 { 
-	uint32_t prop_count = dtoh32a(data);
+	uint32_t prop_count;
 	MTPProperties *props = NULL;
 	unsigned int offset = 0, i;
 
+	if (len < sizeof(uint32_t)) {
+		ptp_debug (params ,"must have at least 4 bytes data, not %d", len);
+		return 0;
+	}
+
+	prop_count = dtoh32a(data);
 	*pprops = NULL;
 	if (prop_count == 0)
 		return 0;
+
 	if (prop_count >= INT_MAX/sizeof(MTPProperties)) {
 		ptp_debug (params ,"prop_count %d is too large", prop_count);
 		return 0;
 	}
 	ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count);
+
 	data += sizeof(uint32_t);
 	len -= sizeof(uint32_t);
 	props = malloc(prop_count * sizeof(MTPProperties));
 	if (!props) return 0;
 	for (i = 0; i < prop_count; i++) {
-		if (len <= 0) {
+		if (len <= (sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t))) {
 			ptp_debug (params ,"short MTP Object Property List at property %d (of %d)", i, prop_count);
 			ptp_debug (params ,"device probably needs DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST_ALL");
 			ptp_debug (params ,"or even DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST", i);
@@ -1367,6 +1375,8 @@ ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops,
 			*pprops = props;
 			return i;
 		}
+
+
 		props[i].ObjectHandle = dtoh32a(data);
 		data += sizeof(uint32_t);
 		len -= sizeof(uint32_t);