Added buffer overflow checks to the Sparse decompression (https://github.com/ladislav-zezula/StormLib/issues/337)

author: Ladislav Zezula <zezula@volny.cz> 2024-04-21 20:21:38 +0200
committer: Ladislav Zezula <zezula@volny.cz> 2024-04-21 20:21:38 +0200
commit: c4e3490d729ba42e92803b7f2ef90ed86b0b0eca (patch)
tree: 4bdb5d39a85932c9be7ddb74306814d7682089f5 /src/sparse/sparse.cpp
parent: a26f04c11dd86e949e649a8c0a01eeaeae268c26 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/sparse/sparse.cpp b/src/sparse/sparse.cpp
index 6d1b621..6cf2df2 100644
--- a/src/sparse/sparse.cpp
+++ b/src/sparse/sparse.cpp
@@ -261,7 +261,12 @@ int DecompressSparse(void * pvOutBuffer, int * pcbOutBuffer, void * pvInBuffer,
         // If highest bit, it means that that normal data follow
         if(OneByte & 0x80)
         {
+            // Check the length of one chunk. Check for overflows
             cbChunkSize = (OneByte & 0x7F) + 1;
+            if((pbInBuffer + cbChunkSize) > pbInBufferEnd)
+                return 0;
+
+            // Copy the chunk. Make sure that the buffer won't overflow
             cbChunkSize = (cbChunkSize < cbOutBuffer) ? cbChunkSize : cbOutBuffer;
             memcpy(pbOutBuffer, pbInBuffer, cbChunkSize);
             pbInBuffer += cbChunkSize;
author	Ladislav Zezula <zezula@volny.cz>	2024-04-21 20:21:38 +0200
committer	Ladislav Zezula <zezula@volny.cz>	2024-04-21 20:21:38 +0200
commit	c4e3490d729ba42e92803b7f2ef90ed86b0b0eca (patch)
tree	4bdb5d39a85932c9be7ddb74306814d7682089f5 /src/sparse/sparse.cpp
parent	a26f04c11dd86e949e649a8c0a01eeaeae268c26 (diff)