diff options
| author | Christos Zoulas <christos@zoulas.com> | 2017-03-17 23:56:16 +0000 |
|---|---|---|
| committer | Christos Zoulas <christos@zoulas.com> | 2017-03-17 23:56:16 +0000 |
| commit | ea2cd50d09bfc02ebbd066cad91f1883aba9a3ac (patch) | |
| tree | b5f5fb7b79ea54bc2e814ce361905d5b96de66a9 | |
| parent | 03ddee2290e018f9d61046b68c499eb4bee3882c (diff) | |
| download | file-git-origin.tar.gz | |
| -rw-r--r-- | src/cdf.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf.c,v 1.91 2017/03/17 19:50:22 christos Exp $") +FILE_RCSID("@(#)$File: cdf.c,v 1.92 2017/03/17 23:56:16 christos Exp $") #endif #include <assert.h> @@ -984,11 +984,14 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, { uint32_t l; - o4 += sizeof(uint32_t); - if (q + o >= e || q + o4 >= e) + if (q + o + sizeof(uint32_t) >= e) goto out; l = CDF_GETUINT32(q, o); + o4 += sizeof(uint32_t); + if (q + o4 + l >= e) + goto out; + inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = CAST(const char *, CAST(const void *, &q[o4])); |