Description: Fix possible out of bounds access Bug-Debian: http://bugs.debian.org/858213 Origin: https://android.googlesource.com/platform/external/jhead/+/bae671597d47b9e5955c4cb742e468cebfd7ca6b --- a/exif.c +++ b/exif.c @@ -9,6 +9,7 @@ #include "jhead.h" #include <math.h> +#include <stdint.h> static unsigned char * DirWithThumbnailPtrs; static double FocalplaneXRes; @@ -527,7 +528,7 @@ unsigned OffsetVal; OffsetVal = Get32u(DirEntry+8); // If its bigger than 4 bytes, the dir entry contains an offset. - if (OffsetVal+ByteCount > ExifLength){ + if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){ // Bogus pointer offset and / or bytecount value ErrNonfatal("Illegal value pointer for tag %04x in Exif", Tag,0); continue;