diff options
author | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2015-01-14 18:11:22 +0900 |
---|---|---|
committer | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2015-01-14 18:12:42 +0900 |
commit | 7a8f7047ac53b27d853ad03adad862254ebe9e50 (patch) | |
tree | bee5807753d43c73ae1ba7ac4bb8eb210e4cabbc /src/lib/eet | |
parent | 565f2af60f9f70171d09d9eb33fc1445e1323f43 (diff) | |
download | efl-7a8f7047ac53b27d853ad03adad862254ebe9e50.tar.gz |
eet - image decode - fix robustness of image decode from eet file
there are possible security implications by not checking values of
size fields to see if they are within the data range AND are not 0 or
negative. so do this.
@fix
Diffstat (limited to 'src/lib/eet')
-rw-r--r-- | src/lib/eet/eet_image.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/lib/eet/eet_image.c b/src/lib/eet/eet_image.c index cd92ca01f8..ef825d5c43 100644 --- a/src/lib/eet/eet_image.c +++ b/src/lib/eet/eet_image.c @@ -2148,11 +2148,16 @@ eet_data_image_header_decode_cipher(const void *data, { unsigned int iw = 0, ih = 0; unsigned const char *dt; - int sz1; + int sz1, sz2; int ok; sz1 = header[1]; -/* sz2 = header[2]; */ + sz2 = header[2]; + if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12))) + { + free(deciphered_d); + return 0; + } dt = data; dt += 12; ok = eet_data_image_jpeg_header_decode(dt, sz1, &iw, &ih); @@ -2449,6 +2454,10 @@ _eet_data_image_decode_inside(const void *data, sz1 = header[1]; sz2 = header[2]; + if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12))) + { + return 0; + } dt = data; dt += 12; |