eet - image decode - fix robustness of image decode from eet file

there are possible security implications by not checking values of size fields to see if they are within the data range AND are not 0 or negative. so do this. @fix
2015-01-14 18:11:22 +09:00 · 2015-01-14 18:11:22 +09:00 · 7a8f7047ac
parent 565f2af60f
commit 7a8f7047ac
1 changed files with 11 additions and 2 deletions
--- a/src/lib/eet/eet_image.c
+++ b/src/lib/eet/eet_image.c
@ -2148,11 +2148,16 @@ eet_data_image_header_decode_cipher(const void   *data,
     {
        unsigned int iw = 0, ih = 0;
        unsigned const char *dt;
-        int sz1;
+        int sz1, sz2;
        int ok;

        sz1 = header[1];
-/*  sz2 = header[2]; */
+        sz2 = header[2];
+        if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12)))
+          {
+             free(deciphered_d);
+             return 0;
+          }
        dt = data;
        dt += 12;
        ok = eet_data_image_jpeg_header_decode(dt, sz1, &iw, &ih);
@ -2449,6 +2454,10 @@ _eet_data_image_decode_inside(const void   *data,

             sz1 = header[1];
             sz2 = header[2];
+             if ((sz1 <= 0) || (sz2 <= 0) || ((sz1 + sz2) > (size - 12)))
+               {
+                  return 0;
+               }
             dt = data;
             dt += 12;