diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2019-12-31 09:22:17 +0100 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2019-12-31 09:22:17 +0100 |
commit | 52d7b2ea49a9f6b388550f6c52d2070a7fad303b (patch) | |
tree | 90a27ebd067d0aeb5915bf70fa9eac0cd7639f6b | |
parent | f2c2aefe4e8eef9582e816d847be4b765f01699c (diff) | |
download | libgphoto2-52d7b2ea49a9f6b388550f6c52d2070a7fad303b.tar.gz |
more sanity checks to avoid buffer overflows (AFL)
-rw-r--r-- | camlibs/jl2005a/library.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/camlibs/jl2005a/library.c b/camlibs/jl2005a/library.c index 4db8749b3..243870636 100644 --- a/camlibs/jl2005a/library.c +++ b/camlibs/jl2005a/library.c @@ -164,8 +164,8 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, { Camera *camera = user_data; int status = GP_OK; - int w, h = 0, k; - int i,j; + unsigned int w, h = 0; + int i,j,k; int b = 0; int compressed = 0; unsigned char header[5] = "\xff\xff\xff\xff\x55"; @@ -192,7 +192,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, GP_DEBUG ("height is %i\n", h); /* sanity check against bad usb devices */ - if ((w ==0) || (w > 1024) || (h == 0) || (h > 1024)) return GP_ERROR; + if ((w ==0) || (w > 1024) || (h == 0) || (h > 1024)) return GP_ERROR_CORRUPTED_DATA; /* Image data to be downloaded contains header and footer bytes */ data = malloc (b+14); @@ -231,7 +231,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, /* sanity check the sizes, as the ahd bayer algorithm does not like very small height / width */ if ((h < 72) || (w < 176)) { - status = GP_ERROR; + status = GP_ERROR_CORRUPTED_DATA; goto end; } p_data = malloc( w*h ); @@ -241,8 +241,13 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, } if (compressed) jl2005a_decompress (image_start, p_data, w, h); - else + else { + if (w*h > b+14) { + status = GP_ERROR_CORRUPTED_DATA; + goto end; + } memcpy(p_data, image_start, w*h); + } ppm = malloc (w * h * 3 + 256); /* room for data and header */ if (!ppm) { free(p_data); @@ -265,7 +270,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, gp_gamma_correct_single (gtable, ptr, w * h); gp_file_set_mime_type (file, GP_MIME_PPM); gp_file_set_data_and_size (file, (char *)ppm, size); - end: +end: free(data); return status; } |