Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8708c80c authored by NIEJuhu's avatar NIEJuhu Committed by Sungsoo Lim
Browse files

ExifInterface: fix NegativeArraySizeException 



The IFD entry has a 4-byte field COUNT. It is read as int type
and is used as array size by ExifInterface. If a crafted JPEG
file contains a negative value, a NegativeArraySizeException
occurs.

Change-Id: Ief29936400f04636928df09e7f357cbf25345383
Signed-off-by: default avatarNIEJuhu <niejuhu@xiaomi.com>
parent 7dd90968

media/java/android/media/ExifInterface.java

+14 −7
Original line number Diff line number Diff line
@@ -2193,21 +2193,28 @@ public class ExifInterface { 
                        dataFormat, numberOfComponents));

            }



            if (tag == null || dataFormat <= 0 ||

                    dataFormat >= IFD_FORMAT_BYTES_PER_FORMAT.length) {

                // Skip if the parsed tag number is not defined or invalid data format.

            long byteCount = 0;

            boolean valid = false;

            if (tag == null) {

                Log.w(TAG, "Skip the tag entry since tag number is not defined: " + tagNumber);

                } else {

            } else if (dataFormat <= 0 || dataFormat >= IFD_FORMAT_BYTES_PER_FORMAT.length) {

                Log.w(TAG, "Skip the tag entry since data format is invalid: " + dataFormat);

            } else {

                byteCount = (long) numberOfComponents * IFD_FORMAT_BYTES_PER_FORMAT[dataFormat];

                if (byteCount < 0 || byteCount > Integer.MAX_VALUE) {

                    Log.w(TAG, "Skip the tag entry since number of components is invalid: "

                            + numberOfComponents);

                } else {

                    valid = true;

                }

            }

            if (!valid) {

                dataInputStream.seek(nextEntryOffset);

                continue;

            }



            // Read a value from data field or seek to the value offset which is stored in data

            // field if the size of the entry value is bigger than 4.

            int byteCount = numberOfComponents * IFD_FORMAT_BYTES_PER_FORMAT[dataFormat];

            if (byteCount > 4) {

                long offset = dataInputStream.readUnsignedInt();

                if (DEBUG) {