summaryrefslogtreecommitdiff
path: root/user/readstat/buf-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'user/readstat/buf-overflow.patch')
-rw-r--r--user/readstat/buf-overflow.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/user/readstat/buf-overflow.patch b/user/readstat/buf-overflow.patch
new file mode 100644
index 000000000..f3766bb24
--- /dev/null
+++ b/user/readstat/buf-overflow.patch
@@ -0,0 +1,26 @@
+From c7baae72b36acdc24f56ad48d3e859850fdbdc2b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= <csardi.gabor@gmail.com>
+Date: Sat, 17 Feb 2024 21:23:14 +0100
+Subject: [PATCH] Fix a buffer overflow (#311)
+
+It happens if raw_str_used underflows and ends up a very large number,
+which is then used as the size of a string.
+
+Closes #285.
+---
+ src/spss/readstat_sav_read.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/spss/readstat_sav_read.c b/src/spss/readstat_sav_read.c
+index 7f49490..460bf07 100644
+--- a/src/spss/readstat_sav_read.c
++++ b/src/spss/readstat_sav_read.c
+@@ -717,7 +717,7 @@ static readstat_error_t sav_process_row(unsigned char *buffer, size_t buffer_len
+ }
+ if (++offset == col_info->width) {
+ if (++segment_offset < var_info->n_segments) {
+- raw_str_used--;
++ if (raw_str_used > 0) raw_str_used--;
+ }
+ offset = 0;
+ col++;
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-11-16 20:21:11 +0000