diff options
| author | Marcus Meissner <marcus@jet.franken.de> | 2019-12-31 08:41:56 +0100 |
|---|---|---|
| committer | Marcus Meissner <marcus@jet.franken.de> | 2019-12-31 08:41:56 +0100 |
| commit | f2c2aefe4e8eef9582e816d847be4b765f01699c (patch) | |
| tree | 788c50b3202fd0f6120c51c74e0f7718ecd03ad7 | |
| parent | 03fb4a5a408244d3f05f0a4dad01287dfa43bc19 (diff) | |
| download | libgphoto2-f2c2aefe4e8eef9582e816d847be4b765f01699c.tar.gz | |
avoid integer overflow (AFL)
| -rw-r--r-- | camlibs/ricoh/g3.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/camlibs/ricoh/g3.c b/camlibs/ricoh/g3.c index af37467d8..9c1a74074 100644 --- a/camlibs/ricoh/g3.c +++ b/camlibs/ricoh/g3.c @@ -69,10 +69,12 @@ g3_channel_read(GPPort *port, int *channel, char **buffer, unsigned int *len) *channel = xbuf[1]; *len = xbuf[4] + (xbuf[5]<<8) + (xbuf[6]<<16) + (xbuf[7]<<24); + if (*len >= 0xffffffff-0x800-1) return GP_ERROR_CORRUPTED_DATA; /* Safety buffer of 0x800 ... we can only read in 0x800 chunks, * otherwise the communication gets hickups. However *len might be * less. */ + gp_log(GP_LOG_DEBUG, "g3" ,"length %u\n", *len); if (!*buffer) *buffer = malloc(*len + 1 + 0x800); else |