From f2c2aefe4e8eef9582e816d847be4b765f01699c Mon Sep 17 00:00:00 2001
From: Marcus Meissner <marcus@jet.franken.de>
Date: Tue, 31 Dec 2019 08:41:56 +0100
Subject: avoid integer overflow (AFL)

---
 camlibs/ricoh/g3.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/camlibs/ricoh/g3.c b/camlibs/ricoh/g3.c
index af37467d8..9c1a74074 100644
--- a/camlibs/ricoh/g3.c
+++ b/camlibs/ricoh/g3.c
@@ -69,10 +69,12 @@ g3_channel_read(GPPort *port, int *channel, char **buffer, unsigned int *len)
 
 	*channel = xbuf[1];
 	*len = xbuf[4] + (xbuf[5]<<8) + (xbuf[6]<<16) + (xbuf[7]<<24);
+	if (*len >= 0xffffffff-0x800-1) return GP_ERROR_CORRUPTED_DATA;
 	/* Safety buffer of 0x800 ... we can only read in 0x800 chunks, 
 	 * otherwise the communication gets hickups. However *len might be
 	 * less.
 	 */
+	gp_log(GP_LOG_DEBUG, "g3" ,"length %u\n", *len);
 	if (!*buffer)
 		*buffer = malloc(*len + 1 + 0x800);
 	else
-- 
cgit v1.2.1