diff options
author | Marcus Meissner <meissner@suse.de> | 2020-03-22 17:36:56 +0100 |
---|---|---|
committer | Marcus Meissner <meissner@suse.de> | 2020-03-22 17:36:56 +0100 |
commit | 13438a04f1672d74e3c7aa168c6f5a0f3aec6e11 (patch) | |
tree | e1b1fc43dfadc525d71ab3e8e45a0eb815ad9e3c /camlibs/agfa-cl20 | |
parent | 75efa4e119c4edc9490c8c6d9267d0e1f4f3331f (diff) | |
download | libgphoto2-13438a04f1672d74e3c7aa168c6f5a0f3aec6e11.tar.gz |
check app1len also in the second case (AFL)
Diffstat (limited to 'camlibs/agfa-cl20')
-rw-r--r-- | camlibs/agfa-cl20/agfa_cl20.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/camlibs/agfa-cl20/agfa_cl20.c b/camlibs/agfa-cl20/agfa_cl20.c index 35ee333d6..c54f6b2c3 100644 --- a/camlibs/agfa-cl20/agfa_cl20.c +++ b/camlibs/agfa-cl20/agfa_cl20.c @@ -208,7 +208,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, lb = (unsigned char)*(result + 0x05); hb = (unsigned char)*(result + 0x04); app1len = (unsigned int)(hb * 256) + (unsigned int)(lb); - if (app1len > size - 3) { + if ((app1len < 4) || (app1len > size - 4)) { free (result); GP_DEBUG("app1len %d is larger than size %d", app1len, size); return GP_ERROR_CORRUPTED_DATA; @@ -234,7 +234,7 @@ get_file_func (CameraFilesystem *fs, const char *folder, const char *filename, memmove(&result[20], &result[app1len + 4], - (unsigned int)(size - app1len - 2)); + (unsigned int)(size - app1len - 4)); size = size - app1len + 24; |