fixed crashes found during fuzzing (AFL)

also on afl builds avoid sleeps
author: Marcus Meissner <marcus@jet.franken.de> 2019-06-16 12:01:40 +0200
committer: Marcus Meissner <marcus@jet.franken.de> 2019-06-16 12:01:40 +0200
commit: 94a45522d96e6292b291385fe284cbfdaa8f6900 (patch)
tree: b1a3585c9cf3e0491c4f4a1c60ee8d6e14cbea3d /camlibs/spca50x
parent: 400f6843cc5a2a3cff8e63db10f31f44fe9276b3 (diff)
download: libgphoto2-94a45522d96e6292b291385fe284cbfdaa8f6900.tar.gz
3 files changed, 35 insertions, 0 deletions
diff --git a/camlibs/spca50x/spca50x-flash.c b/camlibs/spca50x/spca50x-flash.c
index b0b6a418e..86ed02b77 100644
--- a/camlibs/spca50x/spca50x-flash.c
+++ b/camlibs/spca50x/spca50x-flash.c
@@ -73,7 +73,9 @@ spca50x_flash_wait_for_ready(CameraPrivateLibrary *pl)
 	int timeout = 30;
 	uint8_t ready = 0;
 	while (timeout--) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep(1);
+#endif
 		if (pl->bridge == BRIDGE_SPCA500) {
 			CHECK (gp_port_usb_msg_read (pl->gpdev,
 							0x00, 0x0000, 0x0101,
@@ -100,8 +102,11 @@ spca500_flash_84D_wait_while_busy(CameraPrivateLibrary *pl)
 {
 	int timeout = 30;
 	uint8_t ready = 0;
+
 	while (timeout--) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep(1);
+#endif
 	CHECK (gp_port_usb_msg_read (pl->gpdev,
 					0x00, 0x0000, 0x0100,
 					(char*)&ready, 0x01));
@@ -316,7 +321,9 @@ spca500_flash_capture (CameraPrivateLibrary *pl)
 
 		/* wait until the camera is not busy any more */
 		/* spca50x_flash_wait_for_ready doesn't work here */
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep(3);
+#endif
 		
 		/* invalidate TOC/info cache */
 		pl->dirty_flash = 1;
@@ -806,6 +813,9 @@ spca50x_flash_get_file (CameraPrivateLibrary *lib, GPContext *context,
 	if (lib->fw_rev != 1 && thumbnail)
 		return GP_ERROR_NOT_SUPPORTED;
 
+	if (!lib->flash_toc)
+		return GP_ERROR;
+
 	if (thumbnail) {
 		p = lib->flash_toc + (index*2+1) * 32;
 	} else {
diff --git a/camlibs/spca50x/spca50x-sdram.c b/camlibs/spca50x/spca50x-sdram.c
index 02e5a1947..3b87347c7 100644
--- a/camlibs/spca50x/spca50x-sdram.c
+++ b/camlibs/spca50x/spca50x-sdram.c
@@ -116,7 +116,9 @@ spca50x_sdram_get_file_count_and_fat_count (CameraPrivateLibrary * lib,
 		uint8_t lower, upper;
 
 		CHECK (gp_port_usb_msg_write (lib->gpdev, 0x5, 0, 0, NULL, 0));
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep (1);
+#endif
 		CHECK (gp_port_usb_msg_read
 				(lib->gpdev, 0, 0, 0xe15,
 				 (char *) & lib->num_files_on_sdram, 1));
@@ -125,7 +127,9 @@ spca50x_sdram_get_file_count_and_fat_count (CameraPrivateLibrary * lib,
 		/*  get fatscount */
 		CHECK (gp_port_usb_msg_write
 				(lib->gpdev, 0x05, 0x0000, 0x0008, NULL, 0));
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep (1);
+#endif
 		CHECK (gp_port_usb_msg_read
 				(lib->gpdev, 0, 0, 0x0e19,
 				 (char *)&lower, 1));
@@ -165,7 +169,9 @@ spca50x_sdram_delete_file (CameraPrivateLibrary * lib, unsigned int index)
 
 	CHECK (gp_port_usb_msg_write
 	       (lib->gpdev, 0x06, fat_index, 0x0007, NULL, 0));
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	sleep (1);
+#endif
 
 	/* Reread fats the next time it is accessed */
 	lib->dirty_sdram = 1;
@@ -184,7 +190,9 @@ spca50x_sdram_delete_all (CameraPrivateLibrary * lib)
 		CHECK (gp_port_usb_msg_write
 		       (lib->gpdev, 0x02, 0x0000, 0x0005, NULL, 0));
 	}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	sleep (3);
+#endif
 
 	/* Reread fats the next time it is accessed */
 	lib->dirty_sdram = 1;
@@ -272,7 +280,9 @@ spca50x_get_image (CameraPrivateLibrary * lib, uint8_t ** buf,
 			free (mybuf);
 			return ret;
 		}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep (1);
+#endif
 		ret = gp_port_read (lib->gpdev, (char *)mybuf, size);
 		if (ret < GP_OK) {
 			free (mybuf);
@@ -627,7 +637,9 @@ spca50x_get_image_thumbnail (CameraPrivateLibrary * lib, uint8_t ** buf,
 			free (mybuf);
 			return ret;
 		}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep (1);
+#endif
 		ret = gp_port_read (lib->gpdev, (char *)mybuf, size);
 		if (ret < GP_OK) {
 			free (mybuf);
@@ -870,7 +882,9 @@ spca50x_get_FATs (CameraPrivateLibrary * lib, int dramtype)
 		spca50x_reset (lib);
 		CHECK (gp_port_usb_msg_write
 		       (lib->gpdev, 0x05, 0x00, 0x07, NULL, 0));
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		sleep (1);
+#endif
 		CHECK (gp_port_read
 		       (lib->gpdev, (char *)lib->fats,
 			lib->num_fats * SPCA50X_FAT_PAGE_SIZE));
@@ -880,6 +894,11 @@ spca50x_get_FATs (CameraPrivateLibrary * lib, int dramtype)
 	index = 0;
 
 	while (index < lib->num_fats) {
+		if (file_index >= lib->num_files_on_sdram) {
+			free (lib->fats); lib->fats = NULL;
+			free (lib->files); lib->files = NULL;
+			return GP_ERROR;
+		}
 
 		type = p[0];
 		/* While the spca504a indicates start of avi as 0x08 and cont.
diff --git a/camlibs/spca50x/spca50x.c b/camlibs/spca50x/spca50x.c
index 95092defd..518a381e4 100644
--- a/camlibs/spca50x/spca50x.c
+++ b/camlibs/spca50x/spca50x.c
@@ -152,7 +152,9 @@ spca50x_reset (CameraPrivateLibrary * lib)
  			CHECK (spca50x_pd_enable (lib));
 		}
 	}
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	usleep(200000);
+#endif
 	return GP_OK;
 }
 
@@ -189,10 +191,14 @@ yuv2rgb (uint32_t y, uint32_t u, uint32_t v, uint32_t *_r, uint32_t *_g, uint32_
 int
 spca50x_capture (CameraPrivateLibrary * lib)
 {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	sleep (2);
+#endif
         CHECK (gp_port_usb_msg_write
 		(lib->gpdev, 0x06, 0x0000, 0x0003, NULL, 0));
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	sleep (3);
+#endif
 	return GP_OK;
 }
author	Marcus Meissner <marcus@jet.franken.de>	2019-06-16 12:01:40 +0200
committer	Marcus Meissner <marcus@jet.franken.de>	2019-06-16 12:01:40 +0200
commit	94a45522d96e6292b291385fe284cbfdaa8f6900 (patch)
tree	b1a3585c9cf3e0491c4f4a1c60ee8d6e14cbea3d /camlibs/spca50x
parent	400f6843cc5a2a3cff8e63db10f31f44fe9276b3 (diff)
download	libgphoto2-94a45522d96e6292b291385fe284cbfdaa8f6900.tar.gz