Fix stack corruption on oversized QR codes.

Issue reported by dswetz on Github:
https://github.com/dlbeer/quirc/issues/119
This commit is contained in:
Daniel Beer 2021-10-08 19:40:36 +13:00
parent 00d5e968b6
commit 516d91a94d
2 changed files with 11 additions and 2 deletions

View file

@ -886,6 +886,9 @@ quirc_decode_error_t quirc_decode(const struct quirc_code *code,
quirc_decode_error_t err; quirc_decode_error_t err;
struct datastream ds; struct datastream ds;
if (code->size > QUIRC_MAX_GRID_SIZE)
return QUIRC_ERROR_INVALID_GRID_SIZE;
if ((code->size - 17) % 4) if ((code->size - 17) % 4)
return QUIRC_ERROR_INVALID_GRID_SIZE; return QUIRC_ERROR_INVALID_GRID_SIZE;

View file

@ -1118,11 +1118,11 @@ void quirc_extract(const struct quirc *q, int index,
int y; int y;
int i = 0; int i = 0;
memset(code, 0, sizeof(*code));
if (index < 0 || index > q->num_grids) if (index < 0 || index > q->num_grids)
return; return;
memset(code, 0, sizeof(*code));
perspective_map(qr->c, 0.0, 0.0, &code->corners[0]); perspective_map(qr->c, 0.0, 0.0, &code->corners[0]);
perspective_map(qr->c, qr->grid_size, 0.0, &code->corners[1]); perspective_map(qr->c, qr->grid_size, 0.0, &code->corners[1]);
perspective_map(qr->c, qr->grid_size, qr->grid_size, perspective_map(qr->c, qr->grid_size, qr->grid_size,
@ -1131,6 +1131,12 @@ void quirc_extract(const struct quirc *q, int index,
code->size = qr->grid_size; code->size = qr->grid_size;
/* Skip out early so as not to overrun the buffer. quirc_decode
* will return an error on interpreting the code.
*/
if (code->size > QUIRC_MAX_GRID_SIZE)
return;
for (y = 0; y < qr->grid_size; y++) { for (y = 0; y < qr->grid_size; y++) {
int x; int x;
for (x = 0; x < qr->grid_size; x++) { for (x = 0; x < qr->grid_size; x++) {