Fix issue with corrupt files with tagvalues_count = 0 that caused nul…

…l pointer dereference
bfabiszewski · Apr 23, 2022 · ce0ab65 · ce0ab65
1 parent cded29d
commit ce0ab65
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,4 @@
+2022-04-23: Fix issue with corrupt files with tagvalues_count = 0 that caused heap buffer over-read
 2022-04-23: Fix issues when mobi_buffer_getpointer returns null. With corrupt data this could lead to out-of-bounds read
 2022-04-13: Add packaging status [skip ci]
 2022-04-10: Make random generation return proper error codes

diff --git a/src/index.c b/src/index.c
@@ -1057,7 +1057,7 @@ MOBI_RET mobi_trie_insert_infl(MOBITrie **root, const MOBIIndx *indx, size_t i)
     for (size_t j = 0; j < e.tags_count; j++) {
         MOBIIndexTag t = e.tags[j];
         if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) {
-            for (size_t k = 0; k < t.tagvalues_count - 1; k += 2) {
+            for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) {
                 uint32_t len = t.tagvalues[k];
                 uint32_t offset = t.tagvalues[k + 1];
                 char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);