From c4e3490d729ba42e92803b7f2ef90ed86b0b0eca Mon Sep 17 00:00:00 2001
From: Ladislav Zezula <zezula@volny.cz>
Date: Sun, 21 Apr 2024 20:21:38 +0200
Subject: Added buffer overflow checks to the Sparse decompression
 (https://github.com/ladislav-zezula/StormLib/issues/337)

---
 src/sparse/sparse.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/sparse')

diff --git a/src/sparse/sparse.cpp b/src/sparse/sparse.cpp
index 6d1b621..6cf2df2 100644
--- a/src/sparse/sparse.cpp
+++ b/src/sparse/sparse.cpp
@@ -261,7 +261,12 @@ int DecompressSparse(void * pvOutBuffer, int * pcbOutBuffer, void * pvInBuffer,
         // If highest bit, it means that that normal data follow
         if(OneByte & 0x80)
         {
+            // Check the length of one chunk. Check for overflows
             cbChunkSize = (OneByte & 0x7F) + 1;
+            if((pbInBuffer + cbChunkSize) > pbInBufferEnd)
+                return 0;
+
+            // Copy the chunk. Make sure that the buffer won't overflow
             cbChunkSize = (cbChunkSize < cbOutBuffer) ? cbChunkSize : cbOutBuffer;
             memcpy(pbOutBuffer, pbInBuffer, cbChunkSize);
             pbInBuffer += cbChunkSize;
-- 
cgit v1.2.3