AuroraMiddleware/skia2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Consider overflow in is_orientation_marker

Browse Source 
Bug: skia:7404

Use a uint64_t to store the four byte integer in order to protect
against overflow in the encoded (untrusted) offset.

Change-Id: I9592983a7a5353219507b7ec85eae2f2c4a16a1a
Reviewed-on: https://skia-review.googlesource.com/85900
Commit-Queue: Leon Scroggins <scroggo@google.com>
Reviewed-by: Herb Derby <herb@google.com>
Reviewed-by: Kevin Lubick <kjlubick@google.com>
This commit is contained in:
Leon Scroggins III 2017-12-19 10:14:43 -05:00 committed by Skia Commit-Bot
parent 031e7cf5ed
commit 71d8a5713e
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/codec/SkJpegCodec.cpp
View File

@ -63,7 +63,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o
// Get the offset from the start of the marker.
// Account for 'E', 'x', 'i', 'f', '\0', '<fill byte>'.
uint32_t offset = get_endian_int(data + 10, littleEndian);
// Though this only reads four bytes, use a larger int in case it overflows.
uint64_t offset = get_endian_int(data + 10, littleEndian);
offset += sizeof(kExifSig) + 1;
// Require that the marker is at least large enough to contain the number of entries.
@ -74,7 +75,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o
// Tag (2 bytes), Datatype (2 bytes), Number of elements (4 bytes), Data (4 bytes)
const uint32_t kEntrySize = 12;
numEntries = SkTMin(numEntries, (marker->data_length - offset - 2) / kEntrySize);
const auto max = SkTo<uint32_t>((marker->data_length - offset - 2) / kEntrySize);
numEntries = SkTMin(numEntries, max);
// Advance the data to the start of the entries.
data += offset + 2;