diff options
author | Marcus Meissner <marcus@jet.franken.de> | 2017-04-29 13:15:46 +0200 |
---|---|---|
committer | Marcus Meissner <marcus@jet.franken.de> | 2017-04-29 13:15:46 +0200 |
commit | e25b3983489cd290edef693e78c0af694d3cd010 (patch) | |
tree | d35da4d6960d15b751ba31306c1e658e49a5eaf4 | |
parent | 3ad0c48f38a2741b05477aed97122f4c49b46bc3 (diff) | |
download | libgphoto2-e25b3983489cd290edef693e78c0af694d3cd010.tar.gz |
Added some more size checks to ptp_unpack_OPL to avoid crashes on too short data (AFL)
-rw-r--r-- | camlibs/ptp2/ptp-pack.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/camlibs/ptp2/ptp-pack.c b/camlibs/ptp2/ptp-pack.c index 2e1d8e6b5..a36fb8b6d 100644 --- a/camlibs/ptp2/ptp-pack.c +++ b/camlibs/ptp2/ptp-pack.c @@ -1342,24 +1342,32 @@ _compare_func(const void* x, const void *y) { static inline int ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops, unsigned int len) { - uint32_t prop_count = dtoh32a(data); + uint32_t prop_count; MTPProperties *props = NULL; unsigned int offset = 0, i; + if (len < sizeof(uint32_t)) { + ptp_debug (params ,"must have at least 4 bytes data, not %d", len); + return 0; + } + + prop_count = dtoh32a(data); *pprops = NULL; if (prop_count == 0) return 0; + if (prop_count >= INT_MAX/sizeof(MTPProperties)) { ptp_debug (params ,"prop_count %d is too large", prop_count); return 0; } ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count); + data += sizeof(uint32_t); len -= sizeof(uint32_t); props = malloc(prop_count * sizeof(MTPProperties)); if (!props) return 0; for (i = 0; i < prop_count; i++) { - if (len <= 0) { + if (len <= (sizeof(uint32_t) + sizeof(uint16_t) + sizeof(uint16_t))) { ptp_debug (params ,"short MTP Object Property List at property %d (of %d)", i, prop_count); ptp_debug (params ,"device probably needs DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST_ALL"); ptp_debug (params ,"or even DEVICE_FLAG_BROKEN_MTPGETOBJPROPLIST", i); @@ -1367,6 +1375,8 @@ ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops, *pprops = props; return i; } + + props[i].ObjectHandle = dtoh32a(data); data += sizeof(uint32_t); len -= sizeof(uint32_t); |