*pprops = NULL;
return 0;
}
+
+ if (prop_count >= INT_MAX/sizeof(MTPProperties)) {
+ ptp_debug (params ,"prop_count %d is too large", prop_count);
+ return 0;
+ }
+
ptp_debug (params ,"Unpacking MTP OPL, size %d (prop_count %d)", len, prop_count);
data += sizeof(uint32_t);
len -= sizeof(uint32_t);
{
uint32_t s = dtoh32a( *data );
uint32_t n = s/4, i;
- char* str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
+ char *str, *p;
+
+ if (s > 1024) {
+ ptp_debug (params, "customfuncex data is larger than 1k / %d... unexpected?", s);
+ return strdup("bad length");
+ }
+ str = (char*)malloc( s*2+s/4+1 ); /* n is size in uint32, maximum %x len is 8 chars and \0*/
if (!str)
- return str;
- char* p = str;
+ return strdup("malloc failed");
+ p = str;
for (i=0; i < n; ++i)
p += sprintf(p, "%x,", dtoh32a( *data + 4*i ));
-
return str;
}