commit a0628a05191a81f88f83077f0c1616aa91f5c0f8
author Marco Nelissen <marcone@google.com> Fri Jun 10 22:01:27 2016 +0000
committer android-build-merger <android-build-merger@google.com> Fri Jun 10 22:01:27 2016 +0000
tree c5ba965b855e3850cf96912eaf8851f25c19816c
parent 2cbe01bf1d96c5770329ed1eaee7251400e44a36
parent 2a4c12f5e5808e309b9ba04fe8b1539debf466d1

Fix possible out of bounds access am: 751b4eba25 am: b201f04d8c am: 2d49e2de6e am: a3c15ad42d am: 6c2d0e45b5 am: dbefc1dc4a am: 854fedfa6b am: 2ea3783c81 am: e3574d919b am: 3daffc0fba
am: 2a4c12f5e5

Change-Id: I4638fa9d92c70bf0713d73b74671aa3591211a9f

exif.c

diff --git a/exif.c b/exif.c
index 55491fb..ffe9581 100644
--- a/exif.c
+++ b/exif.c
@@ -614,7 +614,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;