diff options
| author | Marcus Meissner <marcus@jet.franken.de> | 2020-01-01 19:51:30 +0100 |
|---|---|---|
| committer | Marcus Meissner <marcus@jet.franken.de> | 2020-01-01 19:51:30 +0100 |
| commit | 204c36b842500c9d5e61a566d1d579edde665c60 (patch) | |
| tree | 956f8266ea2393d1fc18d4242c421cd89aae60af | |
| parent | c089b8d11044d225deee75522c797db1ce388a94 (diff) | |
| download | libgphoto2-204c36b842500c9d5e61a566d1d579edde665c60.tar.gz | |
avoid buffer overread due to mismatched total vs in fat filesize (AFL)
| -rw-r--r-- | camlibs/spca50x/spca50x-sdram.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/camlibs/spca50x/spca50x-sdram.c b/camlibs/spca50x/spca50x-sdram.c index 2e0b19bd0..d445947aa 100644 --- a/camlibs/spca50x/spca50x-sdram.c +++ b/camlibs/spca50x/spca50x-sdram.c @@ -443,6 +443,11 @@ spca50x_get_avi (CameraPrivateLibrary * lib, uint8_t ** buf, start_of_frame = avi; /* jpeg starts here */ + if ((data - mybuf) + frame_size > size) { + free (mybuf); + GP_DEBUG("BAD: accessing more than we read (%d vs total %d)", (data-mybuf)+frame_size , size); + return GP_ERROR_CORRUPTED_DATA; + } create_jpeg_from_data (avi, data, qIndex, frame_width, frame_height, 0x22, frame_size, &length, 1, 0); |