blob: f3766bb24b321beb9ddd9ae5ad35ca2590806e89 (
plain) (
tree)
|
|
From c7baae72b36acdc24f56ad48d3e859850fdbdc2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor@gmail.com>
Date: Sat, 17 Feb 2024 21:23:14 +0100
Subject: [PATCH] Fix a buffer overflow (#311)
It happens if raw_str_used underflows and ends up a very large number,
which is then used as the size of a string.
Closes #285.
---
src/spss/readstat_sav_read.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/spss/readstat_sav_read.c b/src/spss/readstat_sav_read.c
index 7f49490..460bf07 100644
--- a/src/spss/readstat_sav_read.c
+++ b/src/spss/readstat_sav_read.c
@@ -717,7 +717,7 @@ static readstat_error_t sav_process_row(unsigned char *buffer, size_t buffer_len
}
if (++offset == col_info->width) {
if (++segment_offset < var_info->n_segments) {
- raw_str_used--;
+ if (raw_str_used > 0) raw_str_used--;
}
offset = 0;
col++;
|