diff options
| author | Marcus Meissner <marcus@jet.franken.de> | 2020-03-22 16:43:57 +0100 |
|---|---|---|
| committer | Marcus Meissner <marcus@jet.franken.de> | 2020-03-22 16:43:57 +0100 |
| commit | 48bd51fac24c5369333cf57d2992697add92c301 (patch) | |
| tree | ae257c16c1b49b21a9f83e672a0e5ce6f3c75010 /camlibs/spca50x | |
| parent | b3067317e64a06d76c93b8114624d576a2e6ab66 (diff) | |
| download | libgphoto2-48bd51fac24c5369333cf57d2992697add92c301.tar.gz | |
fix overflows during create_jpeg_from_data (AFL)
Diffstat (limited to 'camlibs/spca50x')
| -rw-r--r-- | camlibs/spca50x/spca50x.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/camlibs/spca50x/spca50x.c b/camlibs/spca50x/spca50x.c index 518a381e4..d5ed92c91 100644 --- a/camlibs/spca50x/spca50x.c +++ b/camlibs/spca50x/spca50x.c @@ -244,15 +244,18 @@ create_jpeg_from_data (uint8_t * dst, uint8_t * src, int qIndex, int w, dst += SPCA50X_JPG_DEFAULT_HEADER_PART3_LENGTH; for (i = 0; i < o_size; i++) { + if (dst - start >= *size) return GP_ERROR; value = *(src + i) & 0xFF; *(dst) = value; dst++; if (value == 0xFF && !omit_escape) { + if (dst - start >= *size) return GP_ERROR; *(dst) = 0x00; dst++; } } + if (dst + 2 - start >= *size) return GP_ERROR; /* Add end of image marker */ *(dst++) = 0xFF; *(dst++) = 0xD9; |