diff options
| author | Marcus Meissner <marcus@jet.franken.de> | 2020-01-01 11:41:51 +0100 |
|---|---|---|
| committer | Marcus Meissner <marcus@jet.franken.de> | 2020-01-01 11:41:51 +0100 |
| commit | c089b8d11044d225deee75522c797db1ce388a94 (patch) | |
| tree | 4a1df41af3486931eb68c76b8c558fccae1e77c5 | |
| parent | 52d7b2ea49a9f6b388550f6c52d2070a7fad303b (diff) | |
| download | libgphoto2-c089b8d11044d225deee75522c797db1ce388a94.tar.gz | |
more sanity checks for sizes (AFL)
| -rw-r--r-- | camlibs/lg_gsm/lg_gsm.c | 10 | ||||
| -rw-r--r-- | camlibs/lg_gsm/lg_gsm.h | 2 | ||||
| -rw-r--r-- | camlibs/lg_gsm/library.c | 2 |
3 files changed, 10 insertions, 4 deletions
diff --git a/camlibs/lg_gsm/lg_gsm.c b/camlibs/lg_gsm/lg_gsm.c index 89ab2b472..b6266fbe2 100644 --- a/camlibs/lg_gsm/lg_gsm.c +++ b/camlibs/lg_gsm/lg_gsm.c @@ -116,7 +116,7 @@ unsigned int lg_gsm_get_picture_size (GPPort *port, int pic) return size; } -int lg_gsm_read_picture_data (GPPort *port, char *data, int size, int n) +int lg_gsm_read_picture_data (GPPort *port, char *data, unsigned int datasize, unsigned int n) { char listphotos[] = "\x04\x0\x08\x0\x0\x0\x40\x0\x0\x0\x0\x0\x0\x0"; @@ -127,6 +127,7 @@ int lg_gsm_read_picture_data (GPPort *port, char *data, int size, int n) char block[50000]; char oknok[6]; + unsigned int size; int pos=0; int block_size=50000; int header_size=8; @@ -158,11 +159,15 @@ int lg_gsm_read_picture_data (GPPort *port, char *data, int size, int n) /* then read 142 */ READ(port, photodesc, 142); size = (int)photodesc[138] + (int)photodesc[139]*0x100 + (int)photodesc[140]*0x10000+(int)photodesc[141]*0x1000000; - GP_DEBUG(" size of picture %i is 0x%x\n", n, size); + GP_DEBUG(" size of picture %i is 0x%x", n, size); /* max. 1280x960x24bits ? */ if ( (size >= 0x384000 ) ) { return GP_ERROR; } + if (datasize < size) { + GP_DEBUG("size of picture %u, previous read %u", datasize, size); + return GP_ERROR_CORRUPTED_DATA; + } memcpy(getphoto, &get_photo_cmd[0], 10); memcpy(getphoto +10, &n, 1); /*TODO: fix this*/ @@ -180,6 +185,7 @@ int lg_gsm_read_picture_data (GPPort *port, char *data, int size, int n) for (i = 1 ; i <= nb_blocks ; i++) { remain = size - pos; + GP_DEBUG ("size %d, pos %d, remain %d, block_size %d, header_size %d", size, pos, remain, block_size, header_size); if (remain >= block_size - header_size) { READ(port, block, block_size); diff --git a/camlibs/lg_gsm/lg_gsm.h b/camlibs/lg_gsm/lg_gsm.h index 893dcd44a..bcbb2372a 100644 --- a/camlibs/lg_gsm/lg_gsm.h +++ b/camlibs/lg_gsm/lg_gsm.h @@ -31,7 +31,7 @@ typedef enum { int lg_gsm_init (GPPort *port, Model *model, Info *info); unsigned int lg_gsm_get_picture_size (GPPort *port, int pic); -int lg_gsm_read_picture_data (GPPort *port, char *data, int size, int n); +int lg_gsm_read_picture_data (GPPort *port, char *data, unsigned int size, unsigned int n); int lg_gsm_list_files (GPPort *port, CameraList *list); #endif diff --git a/camlibs/lg_gsm/library.c b/camlibs/lg_gsm/library.c index f1333fbf7..6ecb26ccf 100644 --- a/camlibs/lg_gsm/library.c +++ b/camlibs/lg_gsm/library.c @@ -139,7 +139,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, int k; char *data; - int len; + unsigned int len; k = gp_filesystem_number(camera->fs, "/", filename, context); |