shithub: git9

Download patch

ref: 559e589947b8e3da2222fe21f369774bb0a92ce7
parent: 504dc0cb46de77f22a78eb5b521a8d6ff475fd94
author: Ori Bernstein <ori@eigenstate.org>
date: Sat Dec 28 14:41:42 EST 2019

add appropriate bounds checks

--- a/pack.c
+++ b/pack.c
@@ -323,15 +323,15 @@
 			o = 0;
 			l = 0;
 			/* Offset in base */
-			if(c & 0x01) o |= (*d++ <<  0) & 0x000000ff;
-			if(c & 0x02) o |= (*d++ <<  8) & 0x0000ff00;
-			if(c & 0x04) o |= (*d++ << 16) & 0x00ff0000;
-			if(c & 0x08) o |= (*d++ << 24) & 0xff000000;
+			if(d != ed && c & 0x01) o |= (*d++ <<  0) & 0x000000ff;
+			if(d != ed && c & 0x02) o |= (*d++ <<  8) & 0x0000ff00;
+			if(d != ed && c & 0x04) o |= (*d++ << 16) & 0x00ff0000;
+			if(d != ed && c & 0x08) o |= (*d++ << 24) & 0xff000000;
 
 			/* Length to copy */
-			if(c & 0x10) l |= (*d++ <<  0) & 0x0000ff;
-			if(c & 0x20) l |= (*d++ <<  8) & 0x00ff00;
-			if(c & 0x40) l |= (*d++ << 16) & 0xff0000;
+			if(d != ed && c & 0x10) l |= (*d++ <<  0) & 0x0000ff;
+			if(d != ed && c & 0x20) l |= (*d++ <<  8) & 0x00ff00;
+			if(d != ed && c & 0x40) l |= (*d++ << 16) & 0xff0000;
 			if(l == 0) l = 0x10000;
 
 			assert(o + l <= base->size);
@@ -339,6 +339,7 @@
 			r += l;
 		/* inline data */
 		}else{
+			assert(c < ed - d);
 			memmove(r, d, c);
 			d += c;
 			r += c;