Merge the 2021-02-05 SPL branch from AOSP-Partner
* security-aosp-pi-release:
fixes some (not all) buffer overreads during decoding pentax makernote entries.
libexif: Avoid buffer overflow due to compiler optimization
Change-Id: If04d0337b2875d56b2b4feba7bb09af5753108c7
diff --git a/Android.bp b/Android.bp
index 62ba943..1db830f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -50,6 +50,10 @@
"libexif/pentax/mnote-pentax-tag.c",
],
+ shared_libs: [
+ "liblog",
+ ],
+
export_include_dirs: ["."],
cflags: [
diff --git a/libexif/exif-entry.c b/libexif/exif-entry.c
index 0f72865..0ffb83e 100644
--- a/libexif/exif-entry.c
+++ b/libexif/exif-entry.c
@@ -31,6 +31,8 @@
#include <string.h>
#include <time.h>
#include <math.h>
+#include <limits.h>
+#include <log/log.h>
#ifndef M_PI
#define M_PI 3.14159265358979323846
@@ -1376,7 +1378,10 @@
case EXIF_TAG_XP_SUBJECT:
{
/* Sanity check the size to prevent overflow */
- if (e->size+sizeof(unsigned short) < e->size) break;
+ if (e->size > UINT_MAX - sizeof(unsigned short)) {
+ android_errorWriteLog(0x534e4554, "159625731");
+ break;
+ }
/* The tag may not be U+0000-terminated , so make a local
U+0000-terminated copy before converting it */
diff --git a/libexif/pentax/mnote-pentax-entry.c b/libexif/pentax/mnote-pentax-entry.c
index 7e97c2c..dcb1560 100644
--- a/libexif/pentax/mnote-pentax-entry.c
+++ b/libexif/pentax/mnote-pentax-entry.c
@@ -425,24 +425,34 @@
case EXIF_FORMAT_SHORT:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 2)
+ break;
vs = exif_get_short (data, entry->order);
snprintf (val+len, maxlen-len, "%i ", vs);
len = strlen(val);
data += 2;
+ sizeleft -= 2;
}
}
break;
case EXIF_FORMAT_LONG:
{
const unsigned char *data = entry->data;
- size_t k, len = strlen(val);
+ size_t k, len = strlen(val), sizeleft;
+
+ sizeleft = entry->size;
for(k=0; k<entry->components; k++) {
+ if (sizeleft < 4)
+ break;
vl = exif_get_long (data, entry->order);
snprintf (val+len, maxlen-len, "%li", (long int) vl);
len = strlen(val);
data += 4;
+ sizeleft -= 4;
}
}
break;
@@ -455,5 +465,5 @@
break;
}
- return (val);
+ return val;
}