array sizes might be valid, but still too large for malloc,

leading to NULL ptr deref crashes (AFL)
author: Marcus Meissner <marcus@jet.franken.de> 2016-02-24 08:09:44 +0100
committer: Marcus Meissner <marcus@jet.franken.de> 2016-02-24 08:09:44 +0100
commit: 161fc8ac9258456c9b71f49bf29cd9be380f2d63 (patch)
tree: 08b822e6f2ebe1d8391e3469a62e75e7679e0e69
parent: 70206890d0d4c51832832590dec845fb542db408 (diff)
download: libgphoto2-161fc8ac9258456c9b71f49bf29cd9be380f2d63.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c
index 8dab90545..346e3b253 100644
--- a/camlibs/ptp2/ptp-pack.c
+++ b/camlibs/ptp2/ptp-pack.c
@@ -281,6 +281,8 @@ ptp_unpack_uint32_t_array(PTPParams *params, unsigned char* data, unsigned int o
 	}
 
 	*array = malloc (n*sizeof(uint32_t));
+	if (!*array)
+		return 0;
 	for (i=0;i<n;i++)
 		(*array)[i]=dtoh32a(&data[offset+(sizeof(uint32_t)*(i+1))]);
 	return n;
@@ -292,6 +294,8 @@ ptp_pack_uint32_t_array(PTPParams *params, uint32_t *array, uint32_t arraylen, u
 	uint32_t i=0;
 
 	*data = malloc ((arraylen+1)*sizeof(uint32_t));
+	if (!*data)
+		return 0;
 	htod32a(&(*data)[0],arraylen);
 	for (i=0;i<arraylen;i++)
 		htod32a(&(*data)[sizeof(uint32_t)*(i+1)], array[i]);
@@ -316,6 +320,8 @@ ptp_unpack_uint16_t_array(PTPParams *params, unsigned char* data, unsigned int o
 		return 0;
 	}
 	*array = malloc (n*sizeof(uint16_t));
+	if (!*array)
+		return 0;
 	for (i=0;i<n;i++)
 		(*array)[i]=dtoh16a(&data[offset+(sizeof(uint16_t)*(i+2))]);
 	return n;
author	Marcus Meissner <marcus@jet.franken.de>	2016-02-24 08:09:44 +0100
committer	Marcus Meissner <marcus@jet.franken.de>	2016-02-24 08:09:44 +0100
commit	161fc8ac9258456c9b71f49bf29cd9be380f2d63 (patch)
tree	08b822e6f2ebe1d8391e3469a62e75e7679e0e69
parent	70206890d0d4c51832832590dec845fb542db408 (diff)
download	libgphoto2-161fc8ac9258456c9b71f49bf29cd9be380f2d63.tar.gz