Apply CVE patch

- CVE-2017-9831, CVE-2017-9832 : Integer Overflow

Change-Id: I2538cb1ce822820ad675d5af681b0170354ae6dc
Signed-off-by: Jihoon Jung <jh8801.jung@samsung.com>

diff --git a/src/ptp-pack.c b/src/ptp-pack.c
index 877a1ce..51ef0c5 100755 (executable)
--- a/src/ptp-pack.c
+++ b/src/ptp-pack.c
@@ -1255,6 +1255,12 @@ ptp_unpack_OPL (PTPParams *params, unsigned char* data, MTPProperties **pprops,
                *pprops = NULL;
                return 0;
        }
+
+       if (prop_count >= INT_MAX/sizeof(MTPProperties)) {
+               ptp_debug (params ,"prop_count %d is too large", prop_count);
+               return 0;
+       }
+
        ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count);
        data += sizeof(uint32_t);
        len -= sizeof(uint32_t);
@@ -1546,14 +1552,19 @@ ptp_unpack_EOS_CustomFuncEx (PTPParams* params, unsigned char** data )
 {
        uint32_t s = dtoh32a( *data );
        uint32_t n = s/4, i;
-       char* str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
+       char    *str, *p;
+
+       if (s > 1024) {
+               ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
+               return strdup("bad length");
+       }
+       str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
        if (!str)
-               return str;
-       char* p = str;
+               return strdup("malloc failed");
 
+       p = str;
        for (i=0; i < n; ++i)
                p += sprintf(p, "%x,", dtoh32a( *data + 4*i ));
-
        return str;
 }