diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2017-07-27 13:24:14 +0200 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2017-07-27 13:24:14 +0200 |
commit | 32ee226491775537d3a96e8530c29faefacd6b3d (patch) | |
tree | 0e20d53920d09a1ff15b45d18c8e38ad6ba437be | |
parent | b27fd417aa06cb1e5302970276e7122cee4be318 (diff) | |
download | libgphoto2-32ee226491775537d3a96e8530c29faefacd6b3d.tar.gz |
check also entrysize field
-rw-r--r-- | camlibs/ptp2/ptp.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/camlibs/ptp2/ptp.c b/camlibs/ptp2/ptp.c index 7953edf9e..b712a909b 100644 --- a/camlibs/ptp2/ptp.c +++ b/camlibs/ptp2/ptp.c @@ -2476,9 +2476,19 @@ ptp_canon_eos_getobjectinfoex ( xdata = data+sizeof(uint32_t); for (i=0;i<*nrofentries;i++) { - unsigned int entrysize = dtoh32a(xdata); + unsigned int entrysize; + + if (4 + (xdata - data) > size) { + ptp_debug (params, "reading canon FEs run over read data size? (1)\n"); + free (*entries); + *entries = NULL; + *nrofentries = 0; + ret = PTP_RC_GeneralError; + goto exit; + } + entrysize = dtoh32a(xdata); if ((entrysize + (xdata-data)) > size) { - ptp_debug (params, "reading canon FEs run over read data size?\n"); + ptp_debug (params, "reading canon FEs run over read data size? (2)\n"); free (*entries); *entries = NULL; *nrofentries = 0; |