diff options
| author | sudden6 <sudden6@gmx.at> | 2019-08-03 14:55:41 +0200 |
|---|---|---|
| committer | sudden6 <sudden6@gmx.at> | 2019-08-04 16:38:49 +0200 |
| commit | 8ed83c3d4c13b059c2645c176ab7789541a4374b (patch) | |
| tree | 08eecb08ff210c64710a4d5743680f4b9f2dcc04 /toxcore | |
| parent | 7418174129dc4baecacbba3392c68435b3e49d3c (diff) | |
fix missing group title length check
This fixes a buffer overflow when a malformed *.tox save file is
loaded.
Diffstat (limited to 'toxcore')
| -rw-r--r-- | toxcore/group.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/toxcore/group.c b/toxcore/group.c index f6f8c704..c1779ef9 100644 --- a/toxcore/group.c +++ b/toxcore/group.c | |||
| @@ -3294,6 +3294,11 @@ static State_Load_Status load_conferences(Group_Chats *g_c, const uint8_t *data, | |||
| 3294 | } | 3294 | } |
| 3295 | 3295 | ||
| 3296 | g->title_len = *data; | 3296 | g->title_len = *data; |
| 3297 | |||
| 3298 | if (g->title_len > MAX_NAME_LENGTH) { | ||
| 3299 | return STATE_LOAD_STATUS_ERROR; | ||
| 3300 | } | ||
| 3301 | |||
| 3297 | ++data; | 3302 | ++data; |
| 3298 | 3303 | ||
| 3299 | if (length < (uint32_t)(data - init_data) + g->title_len) { | 3304 | if (length < (uint32_t)(data - init_data) + g->title_len) { |