Skip to content

Commit 612562b

Browse files
committed
Fix: index entry label not being zero-terminated with corrupt input
1 parent 1e0378e commit 612562b

File tree

2 files changed

+10
-5
lines changed

2 files changed

+10
-5
lines changed

Diff for: ChangeLog

+1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
2022-05-05: Fix: index entry label not being zero-terminated with corrupt input
12
2022-05-03: Fix boundary checking error in markup search, that could cause buffer over-read with corrupt input
23
2022-05-02: Fix typo in macro name
34
2022-04-27: Fix undefined behavior when passing null to strdup

Diff for: src/index.c

+9-5
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,11 @@
2929
/**
3030
@brief Read index entry label from buffer pointing at index record data
3131
32-
@param[in,out] output Output string
32+
@param[in,out] output Output buffer (INDX_LABEL_SIZEMAX + 1 bytes)
3333
@param[in,out] buf MOBIBuffer structure, offset pointing at index entry label
3434
@param[in] length Number of bytes to be read
3535
@param[in] has_ligatures Decode ligatures if true
36-
@return Size of read label
36+
@return Length of output string (without null terminator), on error buf->error set to MOBI_RET status
3737
*/
3838
size_t mobi_indx_get_label(unsigned char *output, MOBIBuffer *buf, const size_t length, const size_t has_ligatures) {
3939
if (!output) {
@@ -248,9 +248,9 @@ uint16_t mobi_ordt_lookup(const MOBIOrdt *ordt, const uint16_t offset) {
248248
249249
@param[in] ordt MOBIOrdt structure (ORDT data and metadata)
250250
@param[in,out] buf MOBIBuffer structure with input string
251-
@param[in,out] output Output buffer (INDX_LABEL_SIZEMAX bytes)
251+
@param[in,out] output Output buffer (INDX_LABEL_SIZEMAX + 1 bytes)
252252
@param[in] length Length of input string contained in buf
253-
@return Number of bytes read
253+
@return Length of output string (without null terminator)
254254
*/
255255
size_t mobi_getstring_ordt(const MOBIOrdt *ordt, MOBIBuffer *buf, unsigned char *output, size_t length) {
256256
size_t i = 0;
@@ -362,12 +362,16 @@ static MOBI_RET mobi_parse_index_entry(MOBIIndx *indx, const MOBIIdxt idxt, cons
362362
debug_print("Label length too long: %zu\n", label_length);
363363
return MOBI_DATA_CORRUPT;
364364
}
365-
char text[INDX_LABEL_SIZEMAX];
365+
char text[INDX_LABEL_SIZEMAX + 1];
366366
/* FIXME: what is ORDT1 for? */
367367
if (ordt->ordt2) {
368368
label_length = mobi_getstring_ordt(ordt, buf, (unsigned char*) text, label_length);
369369
} else {
370370
label_length = mobi_indx_get_label((unsigned char*) text, buf, label_length, indx->ligt_entries_count);
371+
if (buf->error != MOBI_SUCCESS) {
372+
debug_print("Buffer error reading label: %d\n", buf->error);
373+
return MOBI_DATA_CORRUPT;
374+
}
371375
}
372376
indx->entries[entry_number].label = malloc(label_length + 1);
373377
if (indx->entries[entry_number].label == NULL) {

0 commit comments

Comments
 (0)