libexif: Fix unsigned integer overflow
(offset + 2) itself may overflow if offset is larger than UINT_MAX-2.
Refactor the code to avoid the overflow.
Test: adb shell /data/fuzz/$(get_build_var TARGET_ARCH)/libexif_fuzzer/libexif_fuzzer /data/tmp/test-case
Bug: 146428941
Change-Id: I2a7bb04002f166c92247f0e8abe1c5b826b29cb1
diff --git a/libexif/exif-data.c b/libexif/exif-data.c
index adfb512..25fe53b 100644
--- a/libexif/exif-data.c
+++ b/libexif/exif-data.c
@@ -39,6 +39,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
#undef JPEG_MARKER_SOI
#define JPEG_MARKER_SOI 0xd8
@@ -383,9 +384,9 @@
}
/* Read the number of entries */
- if ((offset + 2 < offset) || (offset + 2 < 2) || (offset + 2 > ds)) {
+ if ((offset > UINT_MAX - 2) || (offset + 2 > ds)) {
exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
- "Tag data past end of buffer (%u > %u)", offset+2, ds);
+ "Tag data past end of buffer (%u + 2 > %u)", offset, ds);
return;
}
n = exif_get_short (d + offset, data->priv->order);
