diff --git a/camera/metadata/src/camera_metadata_info.cpp b/camera/metadata/src/camera_metadata_info.cpp index 74ff433e42dfaafd82234d69818a16635f87e10e..d781d953743d2d33f50ff1c2ea303b2db2961ecc 100644 --- a/camera/metadata/src/camera_metadata_info.cpp +++ b/camera/metadata/src/camera_metadata_info.cpp @@ -553,8 +553,7 @@ camera_metadata_item_entry_t *CameraMetadata::GetMetadataItems(const common_meta return nullptr; } if (metadataHeader->data_start != 0) { - if (metadataHeader->size != metadataHeader->data_capacity + metadataHeader->data_start || - metadataHeader->data_capacity == 0) { + if (metadataHeader->size != metadataHeader->data_capacity + metadataHeader->data_start) { METADATA_ERR_LOG("GetMetadataItems error size:%{public}u, data_capacity:%{public}u, data_start:%{public}u", metadataHeader->size, metadataHeader->data_capacity, metadataHeader->data_start); return nullptr; diff --git a/camera/metadata/src/metadata_utils.cpp b/camera/metadata/src/metadata_utils.cpp index 8cedd2b587ca8885f3a703a11d369ace365e9f7f..f7de85d759893868924b13d7a83be069c8ae58ca 100644 --- a/camera/metadata/src/metadata_utils.cpp +++ b/camera/metadata/src/metadata_utils.cpp @@ -16,6 +16,7 @@ #include "metadata_utils.h" #include #include "metadata_log.h" +#include "camera_metadata_item_info.h" #define IF_COND_PRINT_MSG_AND_RETURN(cond, msg) \ if (cond) { \ @@ -483,12 +484,12 @@ std::shared_ptr MetadataUtils::DecodeFromString(std::string sett IF_COND_PRINT_MSG_AND_RETURN(ret != EOK, "MetadataUtils::DecodeFromString Failed to copy memory for metadata header") - bool isItemsStartInvalid = meta->items_start >= actualMemSize || meta->items_start < headerLength || - meta->item_count == 0; + bool isItemsStartInvalid = meta->items_start >= actualMemSize || meta->items_start < headerLength; bool isDataStartInvalid = meta->data_start >= actualMemSize || meta->data_start < headerLength; bool isMetadataCountInvaild = (actualMemSize - meta->items_start) < (uint64_t)meta->item_count * itemLen || (actualMemSize - meta->data_start) < meta->data_count; - IF_COND_PRINT_MSG_AND_RETURN(isItemsStartInvalid || isDataStartInvalid || isMetadataCountInvaild, + bool isFuzzErrData = (actualMemSize - meta->items_start) < (uint64_t)meta->item_capacity * itemLen; + IF_COND_PRINT_MSG_AND_RETURN(isItemsStartInvalid || isDataStartInvalid || isMetadataCountInvaild || isFuzzErrData, "MetadataUtils::DecodeFromString invalid item_start") decodeData += headerLength; camera_metadata_item_entry_t *item = GetMetadataItems(meta); @@ -503,8 +504,14 @@ std::shared_ptr MetadataUtils::DecodeFromString(std::string sett "MetadataUtils::DecodeFromString Failed to copy memory for item fixed fields") decodeData += itemFixedLen; uint32_t dataLen = itemLen - itemFixedLen; - ret = memcpy_s(&(item->data), dataLen, decodeData, dataLen); - + ret = memcpy_s(&(item->data), dataLen, decodeData, dataLen); + if (item->data_type >= META_NUM_TYPES || + totalLen < (uint64_t)(item->count * OHOS_CAMERA_METADATA_TYPE_SIZE[item->data_type])) { + METADATA_ERR_LOG("MetadataUtils::DecodeFromString Failed at item index: %{public}u, " + "totalLen :%{public}u, data type :%{public}u, count:%{public}u", + index, totalLen, item->data_type, item->count); + return {}; + } IF_COND_PRINT_MSG_AND_RETURN(ret != EOK, "MetadataUtils::DecodeFromString Failed to copy memory for item data field") decodeData += dataLen;