From ce0ab6586069791b1e8e2a42f44318e581c39939 Mon Sep 17 00:00:00 2001 From: Bartek Fabiszewski Date: Sat, 23 Apr 2022 16:30:01 +0200 Subject: [PATCH] Fix issue with corrupt files with tagvalues_count = 0 that caused null pointer dereference --- ChangeLog | 1 + src/index.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index eda42fb..a834fe2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ +2022-04-23: Fix issue with corrupt files with tagvalues_count = 0 that caused heap buffer over-read 2022-04-23: Fix issues when mobi_buffer_getpointer returns null. With corrupt data this could lead to out-of-bounds read 2022-04-13: Add packaging status [skip ci] 2022-04-10: Make random generation return proper error codes diff --git a/src/index.c b/src/index.c index b2aaec4..14fbc26 100644 --- a/src/index.c +++ b/src/index.c @@ -1057,7 +1057,7 @@ MOBI_RET mobi_trie_insert_infl(MOBITrie **root, const MOBIIndx *indx, size_t i) for (size_t j = 0; j < e.tags_count; j++) { MOBIIndexTag t = e.tags[j]; if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) { - for (size_t k = 0; k < t.tagvalues_count - 1; k += 2) { + for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) { uint32_t len = t.tagvalues[k]; uint32_t offset = t.tagvalues[k + 1]; char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);