sanity check picture number to avoid overflow (AFL)

2 files changed, 7 insertions, 1 deletions

diff --git a/camlibs/lg_gsm/lg_gsm.c b/camlibs/lg_gsm/lg_gsm.c
index 6ead1b4a2..5b7779a1c 100644
--- a/camlibs/lg_gsm/lg_gsm.c
+++ b/camlibs/lg_gsm/lg_gsm.c
@@ -66,6 +66,7 @@ int lg_gsm_init (GPPort *port, Model *model, Info *info)
 
 	/* This information, too. */
 	memcpy (info, &firmware[6], 40);
+	info[39] = 0;
 
 	GP_DEBUG("info = %s\n", info);
 	/*GP_DEBUG("info[20] = 0x%x\n", firmware[26]);*/
@@ -235,6 +236,9 @@ int lg_gsm_list_files (GPPort *port, CameraList *list)
 
 	num_pics=photonumber[20]+256*photonumber[21];
 
+	GP_DEBUG ("num_pics = %d\n", num_pics);
+	if (num_pics > 1000) return GP_ERROR;
+
 	/* increase timeout to 20s */
 	/*port->timeout=20000;*/
 	/* read 142 * nb_photos */
diff --git a/camlibs/lg_gsm/library.c b/camlibs/lg_gsm/library.c
index eb7186bc1..f1333fbf7 100644
--- a/camlibs/lg_gsm/library.c
+++ b/camlibs/lg_gsm/library.c
@@ -95,9 +95,11 @@ camera_summary (Camera *camera, CameraText *summary, GPContext *context)
 
 	char firmware[20];
 	char firmware_version[20];
+
 	memcpy(firmware,&camera->pl->info[0],20);
+	firmware[19] = 0;
 	memcpy(firmware_version,&camera->pl->info[20],20);
-
+	firmware_version[19] = 0;
 
 	sprintf (summary->text,_("Your USB camera seems to be a LG GSM.\n"
 			"Firmware: %s\n"