diff --git a/frameworks/innerkitsimpl/codec/src/image_source.cpp b/frameworks/innerkitsimpl/codec/src/image_source.cpp index 83b7443257b1c79c1e331d09b8c82eb2385b3a92..00f33a04bcefb785004a51df6dfa42ce5b2bae01 100644 --- a/frameworks/innerkitsimpl/codec/src/image_source.cpp +++ b/frameworks/innerkitsimpl/codec/src/image_source.cpp @@ -5117,6 +5117,10 @@ bool ImageSource::CheckJpegSourceStream(StreamInfo &streamInfo) streamInfo.needDelete = true; if (!GetStreamData(sourceStreamPtr_, streamInfo.buffer, streamInfo.size)) { IMAGE_LOGE("%{public}s GetStreamData failed!", __func__); + if (streamInfo.needDelete && streamInfo.buffer) { + delete[] streamInfo.buffer; + streamInfo.buffer = nullptr; + } return false; } } diff --git a/frameworks/innerkitsimpl/picture/picture.cpp b/frameworks/innerkitsimpl/picture/picture.cpp index 2ccc09d17d726b414ed1ead8ccdf611f54136fa9..5cd0a73d714536e7227a708afe0776df815b3ac5 100644 --- a/frameworks/innerkitsimpl/picture/picture.cpp +++ b/frameworks/innerkitsimpl/picture/picture.cpp @@ -679,6 +679,10 @@ int32_t Picture::SetExifMetadata(sptr &surfaceBuffer) CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER, "The size of exif metadata exceeds the buffer size."); + cond = static_cast(size) < tiffHeaderPos; + CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER, + "Tiff header position exceeds the size of exif metadata."); + cond = static_cast(size) - tiffHeaderPos > MAX_EXIFMETADATA_SIZE; CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER, "Failed to set exif metadata," diff --git a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp index dbf40f8148d8a9a15554324376ee504b595fb5d4..6774941bec88780e5371c65f53874c8cf9f08b90 100644 --- a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp +++ b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp @@ -41,6 +41,11 @@ bool BufferPackerStream::Write(const uint8_t *buffer, uint32_t size) IMAGE_LOGE("output stream is null."); return false; } + if (maxSize_ < offset_) { + IMAGE_LOGE("offset:[%{public}lld] out of max size:[%{public}u].", + static_cast(offset_), maxSize_); + return false; + } uint32_t leftSize = maxSize_ - offset_; if (size > leftSize) { IMAGE_LOGE("write data:[%{public}lld] out of max size:[%{public}u].", diff --git a/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp b/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp index 3b77deb0c88af2fab5bccec123d9b01e02992358..fdd536400fc573e8784ecc686444eb83a7e5824e 100644 --- a/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp +++ b/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp @@ -303,7 +303,12 @@ int32_t ImageCodec::SetFrameRateAdaptiveMode(const Format &format) HLOGW("get working freq param failed"); return IC_ERR_UNKNOWN; } - HLOGI("level cnt is %{public}d, set level to %{public}d", param.level, param.level - 1); + if (param.level == 0) { + HLOGE("Overflow risk: param.level is 0"); + return IC_ERR_UNKNOWN; + } + + HLOGI("level cnt is %{public}u, set level to %{public}u", param.level, param.level - 1); param.level = param.level - 1; if (!SetParameter(OMX_IndexParamWorkingFrequency, param)) {