diff options
author | Ignacio Casal Quinteiro <qignacio@amazon.com> | 2017-04-16 13:13:43 +0200 |
---|---|---|
committer | Ignacio Casal Quinteiro <qignacio@amazon.com> | 2017-04-16 13:19:29 +0200 |
commit | 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 (patch) | |
tree | c5c2d9e9c2c6f84a633313f093840d13bf15c1ac | |
parent | b3230f4fe1ed8f1d092279e41bf53a266bddab73 (diff) | |
download | libcroco-898e3a8c8c0314d2e6b106809a8e3e93cf9d4394.tar.gz |
input: check end of input before reading a byte
When reading bytes we weren't check that the index wasn't
out of bound and this could produce an invalid read which
could deal to a security bug.
-rw-r--r-- | src/cr-input.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/cr-input.c b/src/cr-input.c index 49000b1..3b63a88 100644 --- a/src/cr-input.c +++ b/src/cr-input.c @@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) *we should free buf here because it's own by CRInput. *(see the last parameter of cr_input_new_from_buf(). */ - buf = NULL ; + buf = NULL; } cleanup: @@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) enum CRStatus cr_input_read_byte (CRInput * a_this, guchar * a_byte) { + gulong nb_bytes_left = 0; + g_return_val_if_fail (a_this && PRIVATE (a_this) && a_byte, CR_BAD_PARAM_ERROR); @@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) if (PRIVATE (a_this)->end_of_input == TRUE) return CR_END_OF_INPUT_ERROR; + nb_bytes_left = cr_input_get_nb_bytes_left (a_this); + + if (nb_bytes_left < 1) { + return CR_END_OF_INPUT_ERROR; + } + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; if (PRIVATE (a_this)->nb_bytes - @@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) if (*a_char == '\n') { PRIVATE (a_this)->end_of_line = TRUE; } - } return status; |