From 71d8a5713e175c3ffd2996a6c1d51130b752992a Mon Sep 17 00:00:00 2001 From: Leon Scroggins III Date: Tue, 19 Dec 2017 10:14:43 -0500 Subject: Consider overflow in is_orientation_marker Bug: skia:7404 Use a uint64_t to store the four byte integer in order to protect against overflow in the encoded (untrusted) offset. Change-Id: I9592983a7a5353219507b7ec85eae2f2c4a16a1a Reviewed-on: https://skia-review.googlesource.com/85900 Commit-Queue: Leon Scroggins Reviewed-by: Herb Derby Reviewed-by: Kevin Lubick --- src/codec/SkJpegCodec.cpp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/codec') diff --git a/src/codec/SkJpegCodec.cpp b/src/codec/SkJpegCodec.cpp index 97d71eb00e..745194124c 100644 --- a/src/codec/SkJpegCodec.cpp +++ b/src/codec/SkJpegCodec.cpp @@ -63,7 +63,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o // Get the offset from the start of the marker. // Account for 'E', 'x', 'i', 'f', '\0', ''. - uint32_t offset = get_endian_int(data + 10, littleEndian); + // Though this only reads four bytes, use a larger int in case it overflows. + uint64_t offset = get_endian_int(data + 10, littleEndian); offset += sizeof(kExifSig) + 1; // Require that the marker is at least large enough to contain the number of entries. @@ -74,7 +75,8 @@ static bool is_orientation_marker(jpeg_marker_struct* marker, SkEncodedOrigin* o // Tag (2 bytes), Datatype (2 bytes), Number of elements (4 bytes), Data (4 bytes) const uint32_t kEntrySize = 12; - numEntries = SkTMin(numEntries, (marker->data_length - offset - 2) / kEntrySize); + const auto max = SkTo((marker->data_length - offset - 2) / kEntrySize); + numEntries = SkTMin(numEntries, max); // Advance the data to the start of the entries. data += offset + 2; -- cgit v1.2.3