check buffersize before decoding to avoid overread (AFL)

author: Marcus Meissner <meissner@suse.de> 2020-02-13 14:32:07 +0100
committer: Marcus Meissner <meissner@suse.de> 2020-02-13 14:32:07 +0100
commit: 19c923e5d2767343d68010f367494409b6f02b4b (patch)
tree: 10cb40bded8f6901278527f0675eb2e161f80bc5
parent: 5581a92d48206f832e3eea23e5759ffb524a825c (diff)
download: libgphoto2-19c923e5d2767343d68010f367494409b6f02b4b.tar.gz
1 files changed, 11 insertions, 6 deletions
diff --git a/camlibs/mars/library.c b/camlibs/mars/library.c
index 5c3d87a99..2ce113aac 100644
--- a/camlibs/mars/library.c
+++ b/camlibs/mars/library.c
@@ -233,10 +233,15 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename,
 	/* Now increase b from "actual size" to _downloaded_ size. */
 	b = ((b+ 0x1b0)/0x2000 + 1) * 0x2000;
 
-	data = malloc (b);
+	if (w*h > b) {
+		GP_DEBUG ("w=%d, h=%d, w*h=%d, bytes read=%d\n", w,h,w*h,b); 
+		return GP_ERROR_CORRUPTED_DATA;
+	}
+
+	data = calloc (b,1);
 	if (!data) return GP_ERROR_NO_MEMORY;
-    	memset (data, 0, b);
-	GP_DEBUG ("buffersize= %i = 0x%x butes\n", b,b); 
+
+	GP_DEBUG ("buffersize= %i = 0x%x bytes\n", b,b); 
 
 	mars_read_picture_data (camera, camera->pl->info, 
 					    camera->port, (char *)data, b, k);
@@ -290,10 +295,10 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename,
 		return GP_OK;
 	}
 
-	p_data = malloc (w * h);
+	p_data = calloc (w,h);
 	if (!p_data) {free (data); return GP_ERROR_NO_MEMORY;}
-	memset (p_data, 0, w * h);
-		
+
+
 	if (compressed) {
 		mars_decompress (data + 12, p_data, w, h);
 	}
author	Marcus Meissner <meissner@suse.de>	2020-02-13 14:32:07 +0100
committer	Marcus Meissner <meissner@suse.de>	2020-02-13 14:32:07 +0100
commit	19c923e5d2767343d68010f367494409b6f02b4b (patch)
tree	10cb40bded8f6901278527f0675eb2e161f80bc5
parent	5581a92d48206f832e3eea23e5759ffb524a825c (diff)
download	libgphoto2-19c923e5d2767343d68010f367494409b6f02b4b.tar.gz