diff options
author | Marcus Meissner <meissner@suse.de> | 2020-02-13 14:32:07 +0100 |
---|---|---|
committer | Marcus Meissner <meissner@suse.de> | 2020-02-13 14:32:07 +0100 |
commit | 19c923e5d2767343d68010f367494409b6f02b4b (patch) | |
tree | 10cb40bded8f6901278527f0675eb2e161f80bc5 | |
parent | 5581a92d48206f832e3eea23e5759ffb524a825c (diff) | |
download | libgphoto2-19c923e5d2767343d68010f367494409b6f02b4b.tar.gz |
check buffersize before decoding to avoid overread (AFL)
-rw-r--r-- | camlibs/mars/library.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/camlibs/mars/library.c b/camlibs/mars/library.c index 5c3d87a99..2ce113aac 100644 --- a/camlibs/mars/library.c +++ b/camlibs/mars/library.c @@ -233,10 +233,15 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, /* Now increase b from "actual size" to _downloaded_ size. */ b = ((b+ 0x1b0)/0x2000 + 1) * 0x2000; - data = malloc (b); + if (w*h > b) { + GP_DEBUG ("w=%d, h=%d, w*h=%d, bytes read=%d\n", w,h,w*h,b); + return GP_ERROR_CORRUPTED_DATA; + } + + data = calloc (b,1); if (!data) return GP_ERROR_NO_MEMORY; - memset (data, 0, b); - GP_DEBUG ("buffersize= %i = 0x%x butes\n", b,b); + + GP_DEBUG ("buffersize= %i = 0x%x bytes\n", b,b); mars_read_picture_data (camera, camera->pl->info, camera->port, (char *)data, b, k); @@ -290,10 +295,10 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, return GP_OK; } - p_data = malloc (w * h); + p_data = calloc (w,h); if (!p_data) {free (data); return GP_ERROR_NO_MEMORY;} - memset (p_data, 0, w * h); - + + if (compressed) { mars_decompress (data + 12, p_data, w, h); } |