From ab099caed5fbb6f603f2d6ebe68cba95279f13b3 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 13 Feb 2002 09:59:10 +0000 Subject: [PATCH] ber_get_next: return error if decoded ber_len is smaller than actual count --- libraries/liblber/io.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c index bde7ce3055..4a687de483 100644 --- a/libraries/liblber/io.c +++ b/libraries/liblber/io.c @@ -548,6 +548,15 @@ ber_get_next( } if (ber->ber_buf==NULL) { + ber_len_t l = ber->ber_rwptr - ber->ber_ptr; + /* ber->ber_ptr is always <= ber->ber->ber_rwptr. + * make sure ber->ber_len agrees with what we've + * already read. + */ + if ( ber->ber_len < i + l ) { + errno = ERANGE; + return LBER_DEFAULT; + } ber->ber_buf = (char *) LBER_MALLOC( ber->ber_len + 1 ); if (ber->ber_buf==NULL) { return LBER_DEFAULT; @@ -556,10 +565,9 @@ ber_get_next( if (i) { AC_MEMCPY(ber->ber_buf, buf, i); } - if (ber->ber_ptr < ber->ber_rwptr) { - AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, ber->ber_rwptr- - ber->ber_ptr); - i += ber->ber_rwptr - ber->ber_ptr; + if (l > 0) { + AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, l); + i += l; } ber->ber_ptr = ber->ber_buf; ber->ber_usertag = 0; -- 2.39.5