afl: improve sanity check

Change-Id: I58d8100c4e6e5d15464df6868625fffe8b51d947
author: David Tardon <dtardon@redhat.com> 2015-08-17 16:58:21 +0200
committer: David Tardon <dtardon@redhat.com> 2015-08-17 18:07:41 +0200
commit: 6611e91b52506820b9ded09f0c45810ab7c4ad98 (patch)
tree: 7b254dbc15546fda094e2dd775c984062011c8b4 /src/lib/CDRParser.cpp
parent: 65d6b995beb37236301edd9ecdaab9161e58eb96 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index c6eabc9..101d9bf 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -1636,11 +1636,18 @@ void libcdr::CDRParser::readTrfd(librevenge::RVNGInputStream *input, unsigned le
   if (!_redirectX6Chunk(&input, length))
     throw GenericException();
   long startPosition = input->tell();
+  const unsigned long maxLength = getLength(input);
+  if (startPosition >= long(maxLength))
+    return;
+  if ((length > maxLength) || (long(maxLength - length) < startPosition))
+    length = unsigned(maxLength - static_cast<unsigned long>(startPosition)); // sanitize length
   unsigned chunkLength = readUnsigned(input);
   unsigned numOfArgs = readUnsigned(input);
-  if (numOfArgs > length / 4) // avoid extra big allocation in case of a broken file
-    numOfArgs = length / 4;
   unsigned startOfArgs = readUnsigned(input);
+  if (startOfArgs >= length)
+    return;
+  if (numOfArgs > (length - startOfArgs) / 4) // avoid extra big allocation in case of a broken file
+    numOfArgs = (length - startOfArgs) / 4;
   std::vector<unsigned> argOffsets(numOfArgs, 0);
   unsigned i = 0;
   input->seek(startPosition+startOfArgs, librevenge::RVNG_SEEK_SET);
author	David Tardon <dtardon@redhat.com>	2015-08-17 16:58:21 +0200
committer	David Tardon <dtardon@redhat.com>	2015-08-17 18:07:41 +0200
commit	6611e91b52506820b9ded09f0c45810ab7c4ad98 (patch)
tree	7b254dbc15546fda094e2dd775c984062011c8b4 /src/lib/CDRParser.cpp
parent	65d6b995beb37236301edd9ecdaab9161e58eb96 (diff)