libexif: Avoid buffer overflow due to compiler optimization
Modify an arguments size check and decrease so that the
likelihood of the compiler removing it as part of
optimizations is low.
The arguments check must always be triggered to avoid
potential buffer overflows.
Bug: 159625731
Test: run sts-engbuild-no-spl-lock -m StsHostTestCases --test
android.security.sts.Poc20_08#testPocBug_159625731
Change-Id: I6f1b24a699c307b59e51dc0e22f4ed21f4b99feb
diff --git a/Android.bp b/Android.bp
index f648a4b..d18f05d 100644
--- a/Android.bp
+++ b/Android.bp
@@ -50,6 +50,10 @@
"libexif/pentax/mnote-pentax-tag.c",
],
+ shared_libs: [
+ "liblog",
+ ],
+
export_include_dirs: ["."],
cflags: [
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 0f72865..0ffb83e 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -31,6 +31,8 @@
#include <string.h>
#include <time.h>
#include <math.h>
+#include <limits.h>
+#include <log/log.h>
#ifndef M_PI
#define M_PI 3.14159265358979323846
@@ -1376,7 +1378,10 @@
case EXIF_TAG_XP_SUBJECT:
{
/* Sanity check the size to prevent overflow */
- if (e->size+sizeof(unsigned short) < e->size) break;
+ if (e->size > UINT_MAX - sizeof(unsigned short)) {
+ android_errorWriteLog(0x534e4554, "159625731");
+ break;
+ }
/* The tag may not be U+0000-terminated , so make a local
U+0000-terminated copy before converting it */
