Fix stack corruption and bus errors while scanning oversized QR codes

This commit is contained in:
Claudio Felber 2020-09-15 00:27:15 +02:00
parent 744372e551
commit 963d6ed126
4 changed files with 10 additions and 8 deletions

View file

@ -409,7 +409,6 @@ struct datastream {
static inline int grid_bit(const struct quirc_code *code, int x, int y)
{
int p = y * code->size + x;
return (code->cell_bitmap[p >> 3] >> (p & 7)) & 1;
}

View file

@ -656,8 +656,11 @@ static int measure_timing_pattern(struct quirc *q, int index)
/* Choose the nearest allowable grid size */
size = scan * 2 + 13;
ver = (size - 15) / 4;
qr->grid_size = ver * 4 + 17;
if (ver > QUIRC_MAX_VERSION) {
return -1;
}
qr->grid_size = ver * 4 + 17;
return 0;
}
@ -1135,11 +1138,10 @@ void quirc_extract(const struct quirc *q, int index,
for (y = 0; y < qr->grid_size; y++) {
int x;
for (x = 0; x < qr->grid_size; x++) {
if (read_cell(q, index, x, y) > 0)
code->cell_bitmap[i >> 3] |= (1 << (i & 7));
if (read_cell(q, index, x, y) > 0) {
code->cell_bitmap[i >> 3] |= (1 << (i & 7));
}
i++;
}
}

View file

@ -78,7 +78,9 @@ typedef enum {
const char *quirc_strerror(quirc_decode_error_t err);
/* Limits on the maximum size of QR-codes and their content. */
#define QUIRC_MAX_BITMAP 3917
#define QUIRC_MAX_VERSION 40
#define QUIRC_MAX_GRID_SIZE (QUIRC_MAX_VERSION * 4 + 17)
#define QUIRC_MAX_BITMAP (((QUIRC_MAX_GRID_SIZE * QUIRC_MAX_GRID_SIZE) + 7) / 8)
#define QUIRC_MAX_PAYLOAD 8896
/* QR-code ECC types. */

View file

@ -28,7 +28,6 @@
#endif
#define QUIRC_MAX_CAPSTONES 32
#define QUIRC_MAX_GRIDS 8
#define QUIRC_PERSPECTIVE_PARAMS 8
#if QUIRC_MAX_REGIONS < UINT8_MAX