From e25b3983489cd290edef693e78c0af694d3cd010 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Sat, 29 Apr 2017 13:15:46 +0200 Subject: Added some more size checks to ptp_unpack_OPL to avoid crashes on too short data (AFL) --- camlibs/ptp2/ptp-pack.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c index 2e1d8e6b5..a36fb8b6d 100644 --- a/camlibs/ptp2/ptp-pack.c +++ b/camlibs/ptp2/ptp-pack.c @@ -1342,24 +1342,32 @@ _compare_func(const void* x, const void *y) { static inline int ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops, unsigned int len) { - uint32_t prop_count = dtoh32a(data); + uint32_t prop_count; MTPProperties *props = NULL; unsigned int offset = 0, i; + if (len < sizeof(uint32_t)) { + ptp_debug (params ,"must have at least 4 bytes data, not %d", len); + return 0; + } + + prop_count = dtoh32a(data); *pprops = NULL; if (prop_count == 0) return 0; + if (prop_count >= INT_MAX/sizeof(MTPProperties)) { ptp_debug (params ,"prop_count %d is too large", prop_count); return 0; } ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count); + data += sizeof(uint32_t); len -= sizeof(uint32_t); props = malloc(prop_count * sizeof(MTPProperties)); if (!props) return 0; for (i = 0; i < prop_count; i++) { - if (len <= 0) { + if (len <= (sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t))) { ptp_debug (params ,"short MTP Object Property List at property %d (of %d)", i, prop_count); ptp_debug (params ,"device probably needs DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST_ALL"); ptp_debug (params ,"or even DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST", i); @@ -1367,6 +1375,8 @@ ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops, *pprops = props; return i; } + + props[i].ObjectHandle = dtoh32a(data); data += sizeof(uint32_t); len -= sizeof(uint32_t); -- cgit v1.2.1