Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 57c8ffbc authored by Treehugger Robot's avatar Treehugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Fix heap buffer overflow issue flagged by fuzzer test." into main

parents 3b487459 d8cc2062

media/mtp/MtpDataPacket.cpp

+4 −4
Original line number Diff line number Diff line
@@ -73,14 +73,14 @@ void MtpDataPacket::setTransactionID(MtpTransactionID id) { 
}



bool MtpDataPacket::getUInt8(uint8_t& value) {

    if (mPacketSize - mOffset < sizeof(value))

    if ((mPacketSize - mOffset < sizeof(value)) || (mOffset >= mBufferSize))

        return false;

    value = mBuffer[mOffset++];

    return true;

}



bool MtpDataPacket::getUInt16(uint16_t& value) {

    if (mPacketSize - mOffset < sizeof(value))

    if ((mPacketSize - mOffset < sizeof(value)) || ((mOffset+1) >= mBufferSize))

        return false;

    int offset = mOffset;

    value = (uint16_t)mBuffer[offset] | ((uint16_t)mBuffer[offset + 1] << 8);
@@ -89,7 +89,7 @@ bool MtpDataPacket::getUInt16(uint16_t& value) { 
}



bool MtpDataPacket::getUInt32(uint32_t& value) {

    if (mPacketSize - mOffset < sizeof(value))

    if ((mPacketSize - mOffset < sizeof(value)) || ((mOffset+3) >= mBufferSize))

        return false;

    int offset = mOffset;

    value = (uint32_t)mBuffer[offset] | ((uint32_t)mBuffer[offset + 1] << 8) |
@@ -99,7 +99,7 @@ bool MtpDataPacket::getUInt32(uint32_t& value) { 
}



bool MtpDataPacket::getUInt64(uint64_t& value) {

    if (mPacketSize - mOffset < sizeof(value))

    if ((mPacketSize - mOffset < sizeof(value)) || ((mOffset+7) >= mBufferSize))

        return false;

    int offset = mOffset;

    value = (uint64_t)mBuffer[offset] | ((uint64_t)mBuffer[offset + 1] << 8) |