Fix boundary checking error in markup search, that could cause buffer…

… over-read with corrupt input
bfabiszewski · May 3, 2022 · 1e0378e · 1e0378e · carnil · May 28, 2022
1 parent 1297ee0
commit 1e0378e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,4 @@
+2022-05-03: Fix boundary checking error in markup search, that could cause buffer over-read with corrupt input
 2022-05-02: Fix typo in macro name
 2022-04-27: Fix undefined behavior when passing null to strdup
 2022-04-27: Fix wrong boundary checks in inflections parser resulting in stack buffer over-read with corrupt input

diff --git a/src/parse_rawml.c b/src/parse_rawml.c
@@ -107,7 +107,7 @@ MOBI_RET mobi_search_links_kf7(MOBIResult *result, const unsigned char *data_sta
                     result->value[i++] = (char) *data++;
                 }
                 /* self closing tag '/>' */
-                if (*(data - 1) == '/' && *data == '>') {
+                if (data <= data_end && *(data - 1) == '/' && *data == '>') {
                     --data; --i;
                 }
                 result->end = data;
@@ -182,7 +182,7 @@ MOBI_RET mobi_find_attrvalue(MOBIResult *result, const unsigned char *data_start
                 result->value[i++] = (char) *data++;
             }
             /* self closing tag '/>' */
-            if (*(data - 1) == '/' && *data == '>') {
+            if (data <= data_end && *(data - 1) == '/' && *data == '>') {
                 --data; --i;
             }
             result->end = data;
@@ -354,7 +354,7 @@ size_t mobi_get_attribute_value(char *value, const unsigned char *data, const si
                 length--;
             }
             /* self closing tag '/>' */
-            if (*(data - 1) == '/' && *data == '>') {
+            if (length && *(data - 1) == '/' && *data == '>') {
                 value--;
             }
             *value = '\0';