harden the directory compare function against overreads

this could lead to weird crashes, see https://github.com/gphoto/gphoto2/issues/369
author: Marcus Meissner <marcus@jet.franken.de> 2021-09-19 15:53:20 +0200
committer: Marcus Meissner <marcus@jet.franken.de> 2021-09-19 15:53:20 +0200
commit: 0d5bff48e619377007889c3c18db5f48ddfa8648 (patch)
tree: 20e3e3954671a76c4004d13d8fed5d232bd00f02 /camlibs
parent: ca1568067d2e71ee11b494b6c325990d0c9546c8 (diff)
download: libgphoto2-0d5bff48e619377007889c3c18db5f48ddfa8648.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/camlibs/canon/canon.c b/camlibs/canon/canon.c
index 9393f0b0e..efa7b3985 100644
--- a/camlibs/canon/canon.c
+++ b/camlibs/canon/canon.c
@@ -1309,9 +1309,13 @@ void canon_int_find_new_image (
 
         path->folder[0] = 0; /* Start with null pathname string. */
         GP_DEBUG ( "canon_int_find_new_image: starting directory compare" );
-        while ( le16atoh ( old_entry+CANON_DIRENT_ATTRS ) != 0
-                || le32atoh ( old_entry + CANON_DIRENT_SIZE ) != 0
-                || le32atoh ( old_entry + CANON_DIRENT_TIME ) != 0 ) {
+        while ( (((new_entry - (char*)final_state) < final_state_length) &&
+		((old_entry - (char*)initial_state) < initial_state_length)) &&
+		(	le16atoh ( old_entry + CANON_DIRENT_ATTRS ) != 0 ||
+			le32atoh ( old_entry + CANON_DIRENT_SIZE ) != 0 ||
+			le32atoh ( old_entry + CANON_DIRENT_TIME ) != 0
+		)
+	) {
                 char *old_name = old_entry + CANON_DIRENT_NAME,
                         *new_name = new_entry + CANON_DIRENT_NAME;
                 GP_DEBUG ( " old entry \"%s\", attr = 0x%02x, size=%i",
author	Marcus Meissner <marcus@jet.franken.de>	2021-09-19 15:53:20 +0200
committer	Marcus Meissner <marcus@jet.franken.de>	2021-09-19 15:53:20 +0200
commit	0d5bff48e619377007889c3c18db5f48ddfa8648 (patch)
tree	20e3e3954671a76c4004d13d8fed5d232bd00f02 /camlibs
parent	ca1568067d2e71ee11b494b6c325990d0c9546c8 (diff)
download	libgphoto2-0d5bff48e619377007889c3c18db5f48ddfa8648.tar.gz