Fix stack corruption and bus errors while scanning oversized QR codes
This commit is contained in:
parent
744372e551
commit
963d6ed126
4 changed files with 10 additions and 8 deletions
|
@ -409,7 +409,6 @@ struct datastream {
|
|||
static inline int grid_bit(const struct quirc_code *code, int x, int y)
|
||||
{
|
||||
int p = y * code->size + x;
|
||||
|
||||
return (code->cell_bitmap[p >> 3] >> (p & 7)) & 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -656,8 +656,11 @@ static int measure_timing_pattern(struct quirc *q, int index)
|
|||
/* Choose the nearest allowable grid size */
|
||||
size = scan * 2 + 13;
|
||||
ver = (size - 15) / 4;
|
||||
qr->grid_size = ver * 4 + 17;
|
||||
if (ver > QUIRC_MAX_VERSION) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
qr->grid_size = ver * 4 + 17;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1135,11 +1138,10 @@ void quirc_extract(const struct quirc *q, int index,
|
|||
|
||||
for (y = 0; y < qr->grid_size; y++) {
|
||||
int x;
|
||||
|
||||
for (x = 0; x < qr->grid_size; x++) {
|
||||
if (read_cell(q, index, x, y) > 0)
|
||||
code->cell_bitmap[i >> 3] |= (1 << (i & 7));
|
||||
|
||||
if (read_cell(q, index, x, y) > 0) {
|
||||
code->cell_bitmap[i >> 3] |= (1 << (i & 7));
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -78,7 +78,9 @@ typedef enum {
|
|||
const char *quirc_strerror(quirc_decode_error_t err);
|
||||
|
||||
/* Limits on the maximum size of QR-codes and their content. */
|
||||
#define QUIRC_MAX_BITMAP 3917
|
||||
#define QUIRC_MAX_VERSION 40
|
||||
#define QUIRC_MAX_GRID_SIZE (QUIRC_MAX_VERSION * 4 + 17)
|
||||
#define QUIRC_MAX_BITMAP (((QUIRC_MAX_GRID_SIZE * QUIRC_MAX_GRID_SIZE) + 7) / 8)
|
||||
#define QUIRC_MAX_PAYLOAD 8896
|
||||
|
||||
/* QR-code ECC types. */
|
||||
|
|
|
@ -28,7 +28,6 @@
|
|||
#endif
|
||||
#define QUIRC_MAX_CAPSTONES 32
|
||||
#define QUIRC_MAX_GRIDS 8
|
||||
|
||||
#define QUIRC_PERSPECTIVE_PARAMS 8
|
||||
|
||||
#if QUIRC_MAX_REGIONS < UINT8_MAX
|
||||
|
|
Loading…
Reference in a new issue