Fix possible out of bounds access

marcone · andi34 · commit 96777bdc3b43 · 2016-08-12T21:03:58.000+02:00
Bug: 28868315
Change-Id: I2b416c662f9ad7f9b3c6cf973a39c6693c66775a
(cherry picked from commit 751b4eba25aa2e2a31232c9c25ceb6dbddfb1d93)
diff --git a/exif.c b/exif.c
@@ -614,7 +614,7 @@ static void ProcessExifDir(unsigned char * DirStart, unsigned char * OffsetBase,
             unsigned OffsetVal;
             OffsetVal = Get32u(DirEntry+8);
             // If its bigger than 4 bytes, the dir entry contains an offset.
-            if (OffsetVal+ByteCount > ExifLength){
+            if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength){
                 // Bogus pointer offset and / or bytecount value
                 ErrNonfatal("Illegal value pointer for tag %04x", Tag,0);
                 continue;
