From c2e9ff1ac5eff4c0ca8ddb0b2c186f259bc5635a Mon Sep 17 00:00:00 2001
From: duanhan <duanhan1@huawei.com>
Date: Thu, 21 Nov 2024 11:56:44 +0800
Subject: [PATCH] 1121 webp fuzz memcpy check fix Signed-off-by: duanhan
 <duanhan1@huawei.com>

---
 .../accessor/src/jpeg_exif_metadata_accessor.cpp            | 2 +-
 .../accessor/src/webp_exif_metadata_accessor.cpp            | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/frameworks/innerkitsimpl/accessor/src/jpeg_exif_metadata_accessor.cpp b/frameworks/innerkitsimpl/accessor/src/jpeg_exif_metadata_accessor.cpp
index a8d610a79..58ba2de6c 100644
--- a/frameworks/innerkitsimpl/accessor/src/jpeg_exif_metadata_accessor.cpp
+++ b/frameworks/innerkitsimpl/accessor/src/jpeg_exif_metadata_accessor.cpp
@@ -290,7 +290,7 @@ bool JpegExifMetadataAccessor::WriteData(BufferMetadataStream &bufStream, uint8_
         IMAGE_LOGE("Failed to write data blob. dataBlob is nullptr");
         return false;
     }
-    if (memcmp(reinterpret_cast<char *>(dataBlob), EXIF_ID, EXIF_ID_SIZE) != 0) {
+    if (size >= EXIF_ID_SIZE && memcmp(reinterpret_cast<char *>(dataBlob), EXIF_ID, EXIF_ID_SIZE) != 0) {
         writeHeaderLength = APP1_HEADER_LENGTH;
         exifHeaderLength = APP1_EXIF_LENGTH;
         std::copy_n(EXIF_ID, EXIF_ID_SIZE, tmpBuf.data() + MARKER_LENGTH_SIZE);
diff --git a/frameworks/innerkitsimpl/accessor/src/webp_exif_metadata_accessor.cpp b/frameworks/innerkitsimpl/accessor/src/webp_exif_metadata_accessor.cpp
index 371ad223a..1ebb2cabb 100644
--- a/frameworks/innerkitsimpl/accessor/src/webp_exif_metadata_accessor.cpp
+++ b/frameworks/innerkitsimpl/accessor/src/webp_exif_metadata_accessor.cpp
@@ -398,7 +398,7 @@ std::tuple<uint32_t, uint32_t> WebpExifMetadataAccessor::GetWidthAndHeightFormCh
     static const uint32_t bitOperVp8 = 0x3fff;
     static const byte offset3 = 3;
     static const byte offset2 = 2;
-    if (strChunkId == WEBP_CHUNK_HEADER_VP8) {
+    if (strChunkId == WEBP_CHUNK_HEADER_VP8 && chunkData.Size() >= (WEBP_CHUNK_HEIGHT_OFFSET + WEBP_BUF_SIZE)) {
         byte sizeBuf[WEBP_BUF_SIZE];
 
         (void)memcpy_s(&sizeBuf, WEBP_BUF_SIZE, chunkData.CData(WEBP_CHUNK_WIDTH_OFFSET), WEBP_BUF_SIZE);
@@ -408,7 +408,7 @@ std::tuple<uint32_t, uint32_t> WebpExifMetadataAccessor::GetWidthAndHeightFormCh
         return std::make_tuple(width, height);
     }
     
-    if (strChunkId == WEBP_CHUNK_HEADER_VP8L) {
+    if (strChunkId == WEBP_CHUNK_HEADER_VP8L && chunkData.Size() >= (WEBP_BUF_SIZE + WEBP_BUF_SIZE + 1)) {
         byte bufWidth[WEBP_BUF_SIZE];
         byte bufHeight[WEBP_BUF_SIZE + 1];
 
@@ -424,7 +424,7 @@ std::tuple<uint32_t, uint32_t> WebpExifMetadataAccessor::GetWidthAndHeightFormCh
         return std::make_tuple(width, height);
     }
 
-    if (strChunkId == WEBP_CHUNK_HEADER_ANMF) {
+    if (strChunkId == WEBP_CHUNK_HEADER_ANMF && chunkData.Size() >= (WEBP_CHUNK_WIDTH_OFFSET + offset3 + offset3)) {
         byte sizeBuf[WEBP_CHUNK_SIZE];
         
         (void)memcpy_s(&sizeBuf, offset3, chunkData.CData(WEBP_CHUNK_WIDTH_OFFSET), offset3);