From 2fa5f9beec173dbc2c4cf961917dd2c199ffd256 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Wed, 17 Oct 2018 14:44:54 +0900 Subject: [PATCH] Add to check overread(overflow) issue Change-Id: I3733abb4874b3fa7447cbcb6ca59698932d722fc --- gif/include/mm_util_gif.h | 2 +- gif/include/mm_util_gif_private.h | 1 + gif/mm_util_gif.c | 39 ++++++++++++++++++++++----------------- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/gif/include/mm_util_gif.h b/gif/include/mm_util_gif.h index e729486..fb021bf 100755 --- a/gif/include/mm_util_gif.h +++ b/gif/include/mm_util_gif.h @@ -50,7 +50,7 @@ typedef enum { typedef void* mm_gif_file_h; int mm_util_decode_from_gif_file(const char *filename, mm_image_info_s * decoded); -int mm_util_decode_from_gif_memory(void *memory, mm_image_info_s * decoded); +int mm_util_decode_from_gif_memory(void *memory, const size_t src_size, mm_image_info_s * decoded); int mm_util_encode_to_gif_file(mm_image_info_s **images, const unsigned int image_count, const char *path); int mm_util_encode_to_gif_memory(mm_image_info_s **images, const unsigned int image_count, void **buffer, size_t *size); diff --git a/gif/include/mm_util_gif_private.h b/gif/include/mm_util_gif_private.h index 9e4700a..1cf029b 100755 --- a/gif/include/mm_util_gif_private.h +++ b/gif/include/mm_util_gif_private.h @@ -31,6 +31,7 @@ extern "C" { typedef struct { size_t size; + size_t mem_size; void **mem; } gif_mem_s; diff --git a/gif/mm_util_gif.c b/gif/mm_util_gif.c index c0ebe83..c814368 100755 --- a/gif/mm_util_gif.c +++ b/gif/mm_util_gif.c @@ -68,15 +68,18 @@ static int __read_function(GifFileType *gft, GifByteType *data, int size) { gif_mem_s *read_data_ptr = (gif_mem_s *) gft->UserData; - if (read_data_ptr->mem && size > 0) { - memcpy(data, read_data_ptr->mem + read_data_ptr->size, size); - read_data_ptr->size += size; - } + mm_util_retvm_if(size <= 0, 0, "Failed to read memory due to size(%d).", size); + mm_util_retvm_if(read_data_ptr == NULL, 0, "Failed to read memory due to invalid input data."); + mm_util_retvm_if(read_data_ptr->mem == NULL, 0, "Failed to read memory due to invalid input buffer."); + mm_util_retvm_if(read_data_ptr->size + size > read_data_ptr->mem_size, 0, "Failed to read memory due to buffer overflow(%zu/%d/%zu).", read_data_ptr->size, size, read_data_ptr->mem_size); + + memcpy(data, read_data_ptr->mem + read_data_ptr->size, size); + read_data_ptr->size += size; return size; } -static int __read_gif(mm_image_info_s *decoded, const char *filename, void *memory) +static int __read_gif(mm_image_info_s *decoded, const char *filename, void *memory, const size_t src_size) { int ret = MM_UTIL_ERROR_NONE; @@ -98,6 +101,7 @@ static int __read_gif(mm_image_info_s *decoded, const char *filename, void *memo } } else if (memory) { read_data_ptr.mem = memory; + read_data_ptr.mem_size = src_size; read_data_ptr.size = 0; if ((GifFile = DGifOpen(&read_data_ptr, __read_function, NULL)) == NULL) { mm_util_error("could not open Gif File"); @@ -257,27 +261,30 @@ int mm_util_decode_from_gif_file(const char *fpath, mm_image_info_s *decoded) { mm_util_fenter(); - return __read_gif(decoded, fpath, NULL); + return __read_gif(decoded, fpath, NULL, 0); } -int mm_util_decode_from_gif_memory(void *memory, mm_image_info_s *decoded) +int mm_util_decode_from_gif_memory(void *memory, const size_t src_size, mm_image_info_s *decoded) { mm_util_fenter(); - return __read_gif(decoded, NULL, memory); + return __read_gif(decoded, NULL, memory, src_size); } static int __write_function(GifFileType *gft, const GifByteType *data, int size) { gif_mem_s *write_data_ptr = (gif_mem_s *) gft->UserData; - if (size > 0) { - *(write_data_ptr->mem) = (void *)realloc(*(write_data_ptr->mem), (write_data_ptr->size + size)); - if (*(write_data_ptr->mem) != NULL) { - memcpy(*(write_data_ptr->mem) + write_data_ptr->size, data, size); - write_data_ptr->size += size; - } - } + mm_util_retvm_if(size <= 0, 0, "Failed to write memory due to size(%d).", size); + mm_util_retvm_if(write_data_ptr == NULL, 0, "Failed to write memory due to invalid output data."); + mm_util_retvm_if(write_data_ptr->mem == NULL, 0, "Failed to write memory due to invalid output buffer."); + + *(write_data_ptr->mem) = (void *)realloc(*(write_data_ptr->mem), (write_data_ptr->size + size)); + mm_util_retvm_if(*(write_data_ptr->mem) == NULL, 0, "Failed to write memory due to allocation failure."); + + memcpy(*(write_data_ptr->mem) + write_data_ptr->size, data, size); + write_data_ptr->size += size; + return size; } @@ -716,7 +723,6 @@ int mm_util_encode_to_gif_file(mm_image_info_s **images, const unsigned int imag ret = mm_util_gif_encode_set_file(gif_file_h, path); mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "mm_util_gif_encode_set_file failed %d", ret); - /* this way is for image_util_encode_run(), remove it later */ ret = _mm_util_gif_encode_start(gif_file_h, images[0]->width, images[0]->height); mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "_mm_util_gif_encode_start failed"); @@ -747,7 +753,6 @@ int mm_util_encode_to_gif_memory(mm_image_info_s **images, const unsigned int im ret = mm_util_gif_encode_set_mem(gif_file_h, buffer, size); mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "mm_util_gif_encode_set_mem failed %d", ret); - /* this way is for image_util_encode_run(), remove it later */ ret = _mm_util_gif_encode_start(gif_file_h, images[0]->width, images[0]->height); mm_util_retvm_if(ret != MM_UTIL_ERROR_NONE, ret, "_mm_util_gif_encode_start failed"); -- 2.7.4