Fix stack corruption on oversized QR codes.
Issue reported by dswetz on Github: https://github.com/dlbeer/quirc/issues/119
This commit is contained in:
parent
00d5e968b6
commit
516d91a94d
2 changed files with 11 additions and 2 deletions
|
@ -886,6 +886,9 @@ quirc_decode_error_t quirc_decode(const struct quirc_code *code,
|
|||
quirc_decode_error_t err;
|
||||
struct datastream ds;
|
||||
|
||||
if (code->size > QUIRC_MAX_GRID_SIZE)
|
||||
return QUIRC_ERROR_INVALID_GRID_SIZE;
|
||||
|
||||
if ((code->size - 17) % 4)
|
||||
return QUIRC_ERROR_INVALID_GRID_SIZE;
|
||||
|
||||
|
|
|
@ -1118,11 +1118,11 @@ void quirc_extract(const struct quirc *q, int index,
|
|||
int y;
|
||||
int i = 0;
|
||||
|
||||
memset(code, 0, sizeof(*code));
|
||||
|
||||
if (index < 0 || index > q->num_grids)
|
||||
return;
|
||||
|
||||
memset(code, 0, sizeof(*code));
|
||||
|
||||
perspective_map(qr->c, 0.0, 0.0, &code->corners[0]);
|
||||
perspective_map(qr->c, qr->grid_size, 0.0, &code->corners[1]);
|
||||
perspective_map(qr->c, qr->grid_size, qr->grid_size,
|
||||
|
@ -1131,6 +1131,12 @@ void quirc_extract(const struct quirc *q, int index,
|
|||
|
||||
code->size = qr->grid_size;
|
||||
|
||||
/* Skip out early so as not to overrun the buffer. quirc_decode
|
||||
* will return an error on interpreting the code.
|
||||
*/
|
||||
if (code->size > QUIRC_MAX_GRID_SIZE)
|
||||
return;
|
||||
|
||||
for (y = 0; y < qr->grid_size; y++) {
|
||||
int x;
|
||||
for (x = 0; x < qr->grid_size; x++) {
|
||||
|
|
Loading…
Reference in a new issue