From 67a1fca0feb33f1b9372ecaef64ab0f1e8950c26 Mon Sep 17 00:00:00 2001
From: fanzhihao8 <fanzhihao6@h-partners.com>
Date: Sat, 5 Jul 2025 18:30:04 +0800
Subject: [PATCH 1/4] fix bug 1

Signed-off-by: fanzhihao8 <fanzhihao6@h-partners.com>
---
 .../innerkitsimpl/stream/src/buffer_packer_stream.cpp      | 5 +++++
 .../libextplugin/src/hardware/imagecodec/image_codec.cpp   | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
index dbf40f814..3ab17cc9c 100644
--- a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
+++ b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
@@ -41,6 +41,11 @@ bool BufferPackerStream::Write(const uint8_t *buffer, uint32_t size)
         IMAGE_LOGE("output stream is null.");
         return false;
     }
+    if (maxSize_ < offset_) {
+        IMAGE_LOGE("offset:[%{public}u] out of max size:[%{public}u].",
+            offset_, maxSize_);
+        return false;
+    }
     uint32_t leftSize = maxSize_ - offset_;
     if (size > leftSize) {
         IMAGE_LOGE("write data:[%{public}lld] out of max size:[%{public}u].",
diff --git a/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp b/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp
index 3b77deb0c..fdd536400 100644
--- a/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp
+++ b/plugins/common/libs/image/libextplugin/src/hardware/imagecodec/image_codec.cpp
@@ -303,7 +303,12 @@ int32_t ImageCodec::SetFrameRateAdaptiveMode(const Format &format)
         HLOGW("get working freq param failed");
         return IC_ERR_UNKNOWN;
     }
-    HLOGI("level cnt is %{public}d, set level to %{public}d", param.level, param.level - 1);
+    if (param.level == 0) {
+        HLOGE("Overflow risk: param.level is 0");
+        return IC_ERR_UNKNOWN;
+    }
+
+    HLOGI("level cnt is %{public}u, set level to %{public}u", param.level, param.level - 1);
     param.level = param.level - 1;
 
     if (!SetParameter(OMX_IndexParamWorkingFrequency, param)) {
-- 
Gitee


From 10139c79520b8e33edd91d27f4ae87c47bfb7f78 Mon Sep 17 00:00:00 2001
From: fanzhihao8 <fanzhihao6@h-partners.com>
Date: Mon, 7 Jul 2025 16:25:39 +0800
Subject: [PATCH 2/4] fix bug 2

Signed-off-by: fanzhihao8 <fanzhihao6@h-partners.com>
---
 frameworks/innerkitsimpl/codec/src/image_source.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/frameworks/innerkitsimpl/codec/src/image_source.cpp b/frameworks/innerkitsimpl/codec/src/image_source.cpp
index 83b744325..00f33a04b 100644
--- a/frameworks/innerkitsimpl/codec/src/image_source.cpp
+++ b/frameworks/innerkitsimpl/codec/src/image_source.cpp
@@ -5117,6 +5117,10 @@ bool ImageSource::CheckJpegSourceStream(StreamInfo &streamInfo)
         streamInfo.needDelete = true;
         if (!GetStreamData(sourceStreamPtr_, streamInfo.buffer, streamInfo.size)) {
             IMAGE_LOGE("%{public}s GetStreamData failed!", __func__);
+            if (streamInfo.needDelete && streamInfo.buffer) {
+                delete[] streamInfo.buffer;
+                streamInfo.buffer = nullptr;
+            }
             return false;
         }
     }
-- 
Gitee


From 6434a46bf730521680781e399dec1dab30d95718 Mon Sep 17 00:00:00 2001
From: fanzhihao8 <fanzhihao6@h-partners.com>
Date: Wed, 9 Jul 2025 11:20:00 +0800
Subject: [PATCH 3/4] fix bug 3

Signed-off-by: fanzhihao8 <fanzhihao6@h-partners.com>
---
 frameworks/innerkitsimpl/picture/picture.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/frameworks/innerkitsimpl/picture/picture.cpp b/frameworks/innerkitsimpl/picture/picture.cpp
index 2ccc09d17..5cd0a73d7 100644
--- a/frameworks/innerkitsimpl/picture/picture.cpp
+++ b/frameworks/innerkitsimpl/picture/picture.cpp
@@ -679,6 +679,10 @@ int32_t Picture::SetExifMetadata(sptr<SurfaceBuffer> &surfaceBuffer)
     CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER,
                                "The size of exif metadata exceeds the buffer size.");
 
+    cond = static_cast<uint32_t>(size) < tiffHeaderPos;
+    CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER,
+                               "Tiff header position exceeds the size of exif metadata.");
+
     cond = static_cast<uint32_t>(size) - tiffHeaderPos > MAX_EXIFMETADATA_SIZE;
     CHECK_ERROR_RETURN_RET_LOG(cond, ERR_IMAGE_INVALID_PARAMETER,
                                "Failed to set exif metadata,"
-- 
Gitee


From 99a5e715cc35ffc9c78bc274ce20f7d0ba4f22b5 Mon Sep 17 00:00:00 2001
From: fanzhihao8 <fanzhihao6@h-partners.com>
Date: Wed, 9 Jul 2025 15:30:05 +0800
Subject: [PATCH 4/4] fix bug 1

Signed-off-by: fanzhihao8 <fanzhihao6@h-partners.com>
---
 frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
index 3ab17cc9c..6774941be 100644
--- a/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
+++ b/frameworks/innerkitsimpl/stream/src/buffer_packer_stream.cpp
@@ -42,8 +42,8 @@ bool BufferPackerStream::Write(const uint8_t *buffer, uint32_t size)
         return false;
     }
     if (maxSize_ < offset_) {
-        IMAGE_LOGE("offset:[%{public}u] out of max size:[%{public}u].",
-            offset_, maxSize_);
+        IMAGE_LOGE("offset:[%{public}lld] out of max size:[%{public}u].",
+            static_cast<long long>(offset_), maxSize_);
         return false;
     }
     uint32_t leftSize = maxSize_ - offset_;
-- 
Gitee