diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2016-10-30 19:35:25 +0100 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2016-10-30 19:35:42 +0100 |
commit | 1dbabf13f1a39ad544854bbdffbf4392c81239c4 (patch) | |
tree | 31222184eb3ff0e890a34787ed599aa9f71b3592 | |
parent | eed6c51acc208e5d12ac5bd2905e26a0b7058d88 (diff) | |
download | libgphoto2-1dbabf13f1a39ad544854bbdffbf4392c81239c4.tar.gz |
handle size of data in canon file entry decoder (AFL)
-rw-r--r-- | camlibs/ptp2/ptp.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/camlibs/ptp2/ptp.c b/camlibs/ptp2/ptp.c index 28e64b944..835fee8e7 100644 --- a/camlibs/ptp2/ptp.c +++ b/camlibs/ptp2/ptp.c @@ -2405,6 +2405,11 @@ ptp_canon_eos_getobjectinfoex ( return PTP_RC_OK; } + if (size < 4) { + ret = PTP_RC_GeneralError; + goto exit; + } + *nrofentries = dtoh32a(data); *entries = malloc(*nrofentries * sizeof(PTPCANONFolderEntry)); if (!*entries) { @@ -2414,6 +2419,14 @@ ptp_canon_eos_getobjectinfoex ( xdata = data+sizeof(uint32_t); for (i=0;i<*nrofentries;i++) { + if ((dtoh32a(xdata) + (xdata-data)) > size) { + ptp_debug (params, "reading canon FEs run over read data size?\n"); + free (*entries); + *entries = NULL; + *nrofentries = 0; + ret = PTP_RC_GeneralError; + goto exit; + } ptp_unpack_Canon_EOS_FE (params, &xdata[4], &((*entries)[i])); xdata += dtoh32a(xdata); } |