commit 92f207cbcf8e03084709101abfd59124a5cbc3a9
author Teow Wan Yee <wy.teow@hi-p.com> Wed Aug 24 09:50:36 2016 +0800
committer Jeron Susan <jeron.susan@hi-p.com> Wed Aug 24 11:47:04 2016 +0800
tree c697be7f10f9263b2dbb4b9f5ca9be486c6a018b
parent d0dbe6303812bf4f9a365ca686171b0d2f80b193

FPII-2292 : Update- Remote code execution vulnerability in libjhead CVE-2016-3822 A-30074856

A-30074856 The offsetval length passed to ProcessExifDir in jhead could lead
to an out-of-bounds write.
This fix is designed to check offsetval for an integer overflow to prevent an
out-of-bounds write.

Change-Id: I168017a307b8a63dea793dd1a82b8c3dec3a69fa

gpsinfo.c

diff --git a/gpsinfo.c b/gpsinfo.c
index cbf261e..0377300 100644
--- a/gpsinfo.c
+++ b/gpsinfo.c
@@ -174,7 +174,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;

makernote.c

diff --git a/makernote.c b/makernote.c
index cf40c6b..1248b80 100644
--- a/makernote.c
+++ b/makernote.c
@@ -62,7 +62,7 @@
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+        if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;