Skip to content

Commit dbe14f0

Browse files
committed
src/sd2.c : Fix two potential buffer read overflows.
Closes: #93
1 parent 6abec1b commit dbe14f0

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

Diff for: src/sd2.c

+11-1
Original file line numberDiff line numberDiff line change
@@ -517,6 +517,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
517517

518518
rsrc.type_offset = rsrc.map_offset + 30 ;
519519

520+
if (rsrc.map_offset + 28 > rsrc.rsrc_len)
521+
{ psf_log_printf (psf, "Bad map offset.\n") ;
522+
goto parse_rsrc_fork_cleanup ;
523+
} ;
524+
520525
rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ;
521526
if (rsrc.type_count < 1)
522527
{ psf_log_printf (psf, "Bad type count.\n") ;
@@ -533,7 +538,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
533538

534539
rsrc.str_index = -1 ;
535540
for (k = 0 ; k < rsrc.type_count ; k ++)
536-
{ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
541+
{ if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
542+
{ psf_log_printf (psf, "Bad rsrc marker.\n") ;
543+
goto parse_rsrc_fork_cleanup ;
544+
} ;
545+
546+
marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
537547

538548
if (marker == STR_MARKER)
539549
{ rsrc.str_index = k ;

0 commit comments

Comments
 (0)