aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/eet
diff options
context:
space:
mode:
authorCarsten Haitzler (Rasterman) <raster@rasterman.com>2015-01-14 18:11:22 +0900
committerCarsten Haitzler (Rasterman) <raster@rasterman.com>2015-01-14 18:12:42 +0900
commit7a8f7047ac53b27d853ad03adad862254ebe9e50 (patch)
treebee5807753d43c73ae1ba7ac4bb8eb210e4cabbc /src/lib/eet
parentEee image: fix macros to be surrounded with do while(). (diff)
downloadefl-7a8f7047ac53b27d853ad03adad862254ebe9e50.tar.gz
eet - image decode - fix robustness of image decode from eet file
there are possible security implications by not checking values of size fields to see if they are within the data range AND are not 0 or negative. so do this. @fix
Diffstat (limited to 'src/lib/eet')
-rw-r--r--src/lib/eet/eet_image.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/lib/eet/eet_image.c b/src/lib/eet/eet_image.c
index cd92ca01f8..ef825d5c43 100644
--- a/src/lib/eet/eet_image.c
+++ b/src/lib/eet/eet_image.c
@@ -2148,11 +2148,16 @@ eet_data_image_header_decode_cipher(const void *data,
{
unsigned int iw = 0, ih = 0;
unsigned const char *dt;
- int sz1;
+ int sz1, sz2;
int ok;
sz1 = header[1];
-/* sz2 = header[2]; */
+ sz2 = header[2];
+ if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12)))
+ {
+ free(deciphered_d);
+ return 0;
+ }
dt = data;
dt += 12;
ok = eet_data_image_jpeg_header_decode(dt, sz1, &iw, &ih);
@@ -2449,6 +2454,10 @@ _eet_data_image_decode_inside(const void *data,
sz1 = header[1];
sz2 = header[2];
+ if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12)))
+ {
+ return 0;
+ }
dt = data;
dt += 12;