LeaseSet::ReadFromBuffer() SIGSEGV when m_StoreLeases is true and m_Buffer too small

[chadf]

Size bounds not checked with encryption key length before memcpy from m_Buffer + size..

                if (size > m_BufferLen)
                {
                        LogPrint (eLogError, "LeaseSet: Identity length ", size, " exceeds buffer size ", m_BufferLen);
                        m_IsValid = false;
                        return;
                }
                if (m_StoreLeases)
                {
                        if (!m_EncryptionKey) m_EncryptionKey = new uint8_t[256];
                        memcpy (m_EncryptionKey, m_Buffer + size, 256);
                }
                size += 256; // encryption key


Program terminated with signal SIGSEGV, Segmentation fault.
Address not mapped to object.
#0  0x000000080123bc16 in memcpy () from /lib/libc.so.7
#1  0x00000000006b73fb in i2p::data::LeaseSet::ReadFromBuffer (this=0x803ea1f58, readIdentity=true, verifySignature=true) at libi2pd/LeaseSet.cpp:72
#2  0x00000000006b7204 in i2p::data::LeaseSet::LeaseSet (this=0x803ea1f58,
    buf=0x8036c3106 "\241c\257\327\300\227\245$AG?\302\311\071\376k-(]\366\376\353\265\213\351[\217\200\206\365p_$[\263\aG\225\221\346\243Vs\f<\234\270\374\061\020d\213P\001<\356(\017\217E&\345\251\224\315\212e3c\231\333vQ\321<\f~\371\316\b$\037\066t\017\200\350\\s\270\022\253\362\331\261)\003\364\307\336\367\325:F,[", len=832, storeLeases=true) at libi2pd/LeaseSet.cpp:35
#3  0x000000000061f2bb in std::__1::__compressed_pair_elem<i2p::data::LeaseSet, 1, false>::__compressed_pair_elem<unsigned char const*&&, unsigned long&&, 0ul, 1ul> (this=0x803ea1f58, __args=...) at /usr/include/c++/v1/memory:2214
#4  0x000000000061eeb6 in std::__1::__compressed_pair<std::__1::allocator<i2p::data::LeaseSet>, i2p::data::LeaseSet>::__compressed_pair<std::__1::allocator<i2p::data::LeaseSet>&, unsigned char const*&&, unsigned long&&> (this=0x803ea1f58, __pc=..., __first_args=..., __second_args=...)
    at /usr/include/c++/v1/memory:2298
#5  0x000000000061ea9c in std::__1::__shared_ptr_emplace<i2p::data::LeaseSet, std::__1::allocator<i2p::data::LeaseSet> >::__shared_ptr_emplace<unsigned char const*, unsigned long> (this=0x803ea1f40, __a=..., __args=@0x7fffde7f02e8: 832, __args=@0x7fffde7f02e8: 832) at /usr/include/c++/v1/memory:3571
#6  0x00000000006064bf in std::__1::make_shared<i2p::data::LeaseSet, unsigned char const*, unsigned long> (__args=@0x7fffde7f02e8: 832,
    __args=@0x7fffde7f02e8: 832) at /usr/include/c++/v1/memory:4402
#7  0x00000000005ec271 in i2p::client::LeaseSetDestination::HandleDatabaseStoreMessage (this=0x803ee7418,
    buf=0x8036c30e1 "\326 ^\310\212S\236<\313[\022&'\215\364\260\200g\305\323\364[EI\353\063v\023S\342\\4\001", len=869)
    at libi2pd/Destination.cpp:442
#8  0x00000000005ebcb4 in i2p::client::LeaseSetDestination::HandleCloveI2NPMessage (this=0x803ee7418, typeID=i2p::eI2NPDatabaseStore,
    payload=0x8036c30e1 "\326 ^\310\212S\236<\313[\022&'\215\364\260\200g\305\323\364[EI\353\063v\023S\342\\4\001", len=869, msgID=2998768103)
    at libi2pd/Destination.cpp:385
#9  0x000000000065b1bb in i2p::garlic::GarlicDestination::HandleECIESx25519GarlicClove (this=0x803ee7418,
    buf=0x8036c30e1 "\326 ^\310\212S\236<\313[\022&'\215\364\260\200g\305\323\364[EI\353\063v\023S\342\\4\001", len=879) at libi2pd/Garlic.cpp:1052
#10 0x000000000067bd50 in i2p::garlic::SymmetricKeyTagSet::HandleNextMessage (this=0x80437ad58, buf=0x8036c30cc "\241\036\277j55|\251\v\003o",
    len=898, index=0) at libi2pd/ECIESX25519AEADRatchetSession.cpp:159
#11 0x0000000000657e80 in i2p::garlic::GarlicDestination::HandleECIESx25519TagMessage (this=0x803ee7418,
    buf=0x8036c30cc "\241\036\277j55|\251\v\003o", len=914) at libi2pd/Garlic.cpp:591
#12 0x00000000006573c6 in i2p::garlic::GarlicDestination::HandleGarlicMessage (this=0x803ee7418, msg=...) at libi2pd/Garlic.cpp:507

LeaseSet.cpp-size_plus256-2.42.1.patch.txt