Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2084952 authored by Jin Seok Park's avatar Jin Seok Park
Browse files

[Exif] Prevent infinite loop 

This CL fixes the previous implementation which stored the current
position of the file instead of the offset to the next IFD.

Bug: 63800695
Test: Run test file with malformatted thumbnail data
Change-Id: Iab5b9a1a8203e8de1027ecfb887e4f504a27151e
parent 084e4717

media/java/android/media/ExifInterface.java

+6 −7
Original line number Diff line number Diff line
@@ -1323,7 +1323,7 @@ public class ExifInterface { 
    private int mMimeType;

    @UnsupportedAppUsage

    private final HashMap[] mAttributes = new HashMap[EXIF_TAGS.length];

    private Set<Integer> mAttributesOffsets = new HashSet<>(EXIF_TAGS.length);

    private Set<Integer> mHandledIfdOffsets = new HashSet<>(EXIF_TAGS.length);

    private ByteOrder mExifByteOrder = ByteOrder.BIG_ENDIAN;

    @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.P, trackingBug = 115609023)

    private boolean mHasThumbnail;
@@ -3085,6 +3085,9 @@ public class ExifInterface { 
    // Reads image file directory, which is a tag group in EXIF.

    private void readImageFileDirectory(ByteOrderedDataInputStream dataInputStream,

            @IfdType int ifdType) throws IOException {

        // Save offset of current IFD to prevent reading an IFD that is already read.

        mHandledIfdOffsets.add(dataInputStream.mPosition);



        if (dataInputStream.mPosition + 2 > dataInputStream.mLength) {

            // Return if there is no data from the offset.

            return;
@@ -3223,9 +3226,7 @@ public class ExifInterface { 
                // 1. Exists within the boundaries of the input stream

                // 2. Does not point to a previously read IFD.

                if (offset > 0L && offset < dataInputStream.mLength) {

                    if (!mAttributesOffsets.contains((int) offset)) {

                        // Save offset of current IFD to prevent reading an IFD that is already read

                        mAttributesOffsets.add(dataInputStream.mPosition);

                    if (!mHandledIfdOffsets.contains((int) offset)) {

                        dataInputStream.seek(offset);

                        readImageFileDirectory(dataInputStream, nextIfdType);

                    } else {
@@ -3279,9 +3280,7 @@ public class ExifInterface { 
            // 1. Exists within the boundaries of the input stream

            // 2. Does not point to a previously read IFD.

            if (nextIfdOffset > 0L && nextIfdOffset < dataInputStream.mLength) {

                if (!mAttributesOffsets.contains(nextIfdOffset)) {

                    // Save offset of current IFD to prevent reading an IFD that is already read.

                    mAttributesOffsets.add(dataInputStream.mPosition);

                if (!mHandledIfdOffsets.contains(nextIfdOffset)) {

                    dataInputStream.seek(nextIfdOffset);

                    // Do not overwrite thumbnail IFD data if it alreay exists.

                    if (mAttributes[IFD_TYPE_THUMBNAIL].isEmpty()) {