Fix possible out of bounds accesses Bug: 30074856 Change-Id: I1a1387ed29d2e0d010b0d5d4bb3d29453a3a7666 (cherry picked from commit ee54e6ceb66e16b3c10c4a9fc8fbe5fff9110b62)

commit: 2f16b7702d30608778d165c2fb41c574f9ca1c68 [log] [tgz]
author: Sungsoo Lim <sungsoo@google.com> Wed Jul 20 10:37:20 2016 +0900
committer: gitbuildkicker <android-build@google.com> Mon Aug 01 19:12:55 2016 -0700
tree: 5f7bbb7854e85bf47160e765eb878c5ef6cafab0
parent: a0628a05191a81f88f83077f0c1616aa91f5c0f8 [diff]
diff --git a/gpsinfo.c b/gpsinfo.c
index ba2e82a..141cfc5 100644
--- a/gpsinfo.c
+++ b/gpsinfo.c

@@ -174,7 +174,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;

diff --git a/makernote.c b/makernote.c
index cf40c6b..514518d 100644
--- a/makernote.c
+++ b/makernote.c

@@ -62,7 +62,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;
commit	2f16b7702d30608778d165c2fb41c574f9ca1c68	[log] [tgz]
author	Sungsoo Lim <sungsoo@google.com>	Wed Jul 20 10:37:20 2016 +0900
committer	gitbuildkicker <android-build@google.com>	Mon Aug 01 19:12:55 2016 -0700
tree	5f7bbb7854e85bf47160e765eb878c5ef6cafab0
parent	a0628a05191a81f88f83077f0c1616aa91f5c0f8 [diff]