Fix possible out of bounds access am: 751b4eba25 am: b201f04d8c am: 2d49e2de6e Change-Id: Ie0b97678f3c3281c52ab8cce5447e07f45b4c6c9

commit: a3c15ad42d2a54afd18c2683a0a1b0c80524a6c0 [log] [tgz]
author: Marco Nelissen <marcone@google.com> Fri Jun 10 21:31:12 2016 +0000
committer: android-build-merger <android-build-merger@google.com> Fri Jun 10 21:31:12 2016 +0000
tree: 02cce0896b530595982270ec0dfc3163c65a7321
parent: afe9f55ee6ba3eaee02e7b13809a534ebe98d34a [diff]
parent: 2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278 [diff]
diff --git a/exif.c b/exif.c
index 472c45e..64ef19a 100644
--- a/exif.c
+++ b/exif.c

@@ -614,7 +614,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;
commit	a3c15ad42d2a54afd18c2683a0a1b0c80524a6c0	[log] [tgz]
author	Marco Nelissen <marcone@google.com>	Fri Jun 10 21:31:12 2016 +0000
committer	android-build-merger <android-build-merger@google.com>	Fri Jun 10 21:31:12 2016 +0000
tree	02cce0896b530595982270ec0dfc3163c65a7321
parent	afe9f55ee6ba3eaee02e7b13809a534ebe98d34a [diff]
parent	2d49e2de6e0927f0b1dd7122f8c5ef0f5c932278 [diff]