libexif: Avoid buffer overflow due to compiler optimization
Modify an arguments size check and decrease so that the
likelihood of the compiler removing it as part of
optimizations is low.
The arguments check must always be triggered to avoid
potential buffer overflows.
Bug: 159625731
Test: run sts-engbuild-no-spl-lock -m StsHostTestCases --test
android.security.sts.Poc20_08#testPocBug_159625731
Change-Id: I6f1b24a699c307b59e51dc0e22f4ed21f4b99feb
(cherry picked from commit 4c18b0fabf48fe4460b679805b0442d76a78bde7)
diff --git a/Android.bp b/Android.bp
index 62ba943..1db830f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -50,6 +50,10 @@
"libexif/pentax/mnote-pentax-tag.c",
],
+ shared_libs: [
+ "liblog",
+ ],
+
export_include_dirs: ["."],
cflags: [
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 4a90842..347539c 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -31,6 +31,8 @@
#include <string.h>
#include <time.h>
#include <math.h>
+#include <limits.h>
+#include <log/log.h>
#ifndef M_PI
#define M_PI 3.14159265358979323846
@@ -1376,7 +1378,10 @@
case EXIF_TAG_XP_SUBJECT:
{
/* Sanity check the size to prevent overflow */
- if (e->size+sizeof(unsigned short) < e->size) break;
+ if (e->size > UINT_MAX - sizeof(unsigned short)) {
+ android_errorWriteLog(0x534e4554, "159625731");
+ break;
+ }
/* The tag may not be U+0000-terminated , so make a local
U+0000-terminated copy before converting it */
