summaryrefslogblamecommitdiff
path: root/user/readstat/buf-overflow.patch
blob: f3766bb24b321beb9ddd9ae5ad35ca2590806e89 (plain) (tree)

























                                                                                                    
From c7baae72b36acdc24f56ad48d3e859850fdbdc2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor@gmail.com>
Date: Sat, 17 Feb 2024 21:23:14 +0100
Subject: [PATCH] Fix a buffer overflow (#311)

It happens if raw_str_used underflows and ends up a very large number,
which is then used as the size of a string.

Closes #285.
---
 src/spss/readstat_sav_read.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/spss/readstat_sav_read.c b/src/spss/readstat_sav_read.c
index 7f49490..460bf07 100644
--- a/src/spss/readstat_sav_read.c
+++ b/src/spss/readstat_sav_read.c
@@ -717,7 +717,7 @@ static readstat_error_t sav_process_row(unsigned char *buffer, size_t buffer_len
             }
             if (++offset == col_info->width) {
                 if (++segment_offset < var_info->n_segments) {
-                    raw_str_used--;
+                    if (raw_str_used > 0) raw_str_used--;
                 }
                 offset = 0;
                 col++;