diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2016-02-24 08:09:44 +0100 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2016-02-24 08:09:44 +0100 |
commit | 161fc8ac9258456c9b71f49bf29cd9be380f2d63 (patch) | |
tree | 08b822e6f2ebe1d8391e3469a62e75e7679e0e69 | |
parent | 70206890d0d4c51832832590dec845fb542db408 (diff) | |
download | libgphoto2-161fc8ac9258456c9b71f49bf29cd9be380f2d63.tar.gz |
array sizes might be valid, but still too large for malloc,
leading to NULL ptr deref crashes (AFL)
-rw-r--r-- | camlibs/ptp2/ptp-pack.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c index 8dab90545..346e3b253 100644 --- a/camlibs/ptp2/ptp-pack.c +++ b/camlibs/ptp2/ptp-pack.c @@ -281,6 +281,8 @@ ptp_unpack_uint32_t_array(PTPParams *params, unsigned char* data, unsigned int o } *array = malloc (n*sizeof(uint32_t)); + if (!*array) + return 0; for (i=0;i<n;i++) (*array)[i]=dtoh32a(&data[offset+(sizeof(uint32_t)*(i+1))]); return n; @@ -292,6 +294,8 @@ ptp_pack_uint32_t_array(PTPParams *params, uint32_t *array, uint32_t arraylen, u uint32_t i=0; *data = malloc ((arraylen+1)*sizeof(uint32_t)); + if (!*data) + return 0; htod32a(&(*data)[0],arraylen); for (i=0;i<arraylen;i++) htod32a(&(*data)[sizeof(uint32_t)*(i+1)], array[i]); @@ -316,6 +320,8 @@ ptp_unpack_uint16_t_array(PTPParams *params, unsigned char* data, unsigned int o return 0; } *array = malloc (n*sizeof(uint16_t)); + if (!*array) + return 0; for (i=0;i<n;i++) (*array)[i]=dtoh16a(&data[offset+(sizeof(uint16_t)*(i+2))]); return n; |