Fix array boundary check when parsing inflections which could result …

…in buffer over-read with corrupt input
bfabiszewski · Apr 26, 2022 · fb1ab50 · fb1ab50 · carnil · May 28, 2022
1 parent 4b60805
commit fb1ab50
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,8 +1,9 @@
+2022-04-26: Fix array boundary check when parsing inflections which could result in buffer over-read with corrupt input
 2022-04-23: Fix formatting
 2022-04-23: Fix checking boundary of deobfuscation key which could cause buffer over-read with corrupt data
 2022-04-23: Fix issue with corrupt data with empty lookup string which could lead to read beyond buffer
-2022-04-23: Fix faulty checks for array boundary which caused buffer over-read
-2022-04-23: Fix issue with corrupt files with tagvalues_count = 0 that caused heap buffer over-read
+2022-04-23: Fix faulty checks for array boundary which caused buffer over-read with corrupt input
+2022-04-23: Fix issue with corrupt files with tagvalues_count = 0 that caused null pointer dereference
 2022-04-23: Fix issues when mobi_buffer_getpointer returns null. With corrupt data this could lead to out-of-bounds read
 2022-04-13: Add packaging status [skip ci]
 2022-04-10: Make random generation return proper error codes

diff --git a/src/parse_rawml.c b/src/parse_rawml.c
@@ -1413,6 +1413,10 @@ MOBI_RET mobi_reconstruct_infl(char *outstring, const MOBIIndx *infl, const MOBI
 
             unsigned char decoded[INDX_INFLBUF_SIZEMAX + 1];
             memset(decoded, 0, INDX_INFLBUF_SIZEMAX + 1);
+            if (parts[j] >= infl->entries_count) {
+                debug_print("%s\n", "Invalid entry offset");
+                return MOBI_DATA_CORRUPT;
+            }
             unsigned char *rule = (unsigned char *) infl->entries[parts[j]].label;
             memcpy(decoded, label, label_length);
             int decoded_length = (int) label_length;