From 99db282d016e6b642da6463d00447cbdbb6dbff0 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Sat, 16 Sep 2017 10:35:41 +0200
Subject: cid#1306208 sanitize loop bound

Change-Id: I33d0013a193f4d9a2f92332cde71ce2d00bd02a4
---
 src/lib/FHParser.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lib/FHParser.cpp b/src/lib/FHParser.cpp
index 0959305..c439b9a 100644
--- a/src/lib/FHParser.cpp
+++ b/src/lib/FHParser.cpp
@@ -2382,6 +2382,8 @@ void libfreehand::FHParser::readUString(librevenge::RVNGInputStream *input, libf
   long startPosition = input->tell();
   unsigned short size = readU16(input);
   unsigned short length = readU16(input);
+  if (length > getRemainingLength(input) / 2)
+    length = getRemainingLength(input) / 2;
   std::vector<unsigned short> ustr;
   unsigned short character = 0;
   if (length)
-- 
cgit v1.2.3