summaryrefslogtreecommitdiff
path: root/toxcore
diff options
context:
space:
mode:
authorsudden6 <sudden6@gmx.at>2019-08-03 14:55:41 +0200
committersudden6 <sudden6@gmx.at>2019-08-04 16:38:49 +0200
commit8ed83c3d4c13b059c2645c176ab7789541a4374b (patch)
tree08eecb08ff210c64710a4d5743680f4b9f2dcc04 /toxcore
parent7418174129dc4baecacbba3392c68435b3e49d3c (diff)
fix missing group title length check
This fixes a buffer overflow when a malformed *.tox save file is loaded.
Diffstat (limited to 'toxcore')
-rw-r--r--toxcore/group.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/toxcore/group.c b/toxcore/group.c
index f6f8c704..c1779ef9 100644
--- a/toxcore/group.c
+++ b/toxcore/group.c
@@ -3294,6 +3294,11 @@ static State_Load_Status load_conferences(Group_Chats *g_c, const uint8_t *data,
3294 } 3294 }
3295 3295
3296 g->title_len = *data; 3296 g->title_len = *data;
3297
3298 if (g->title_len > MAX_NAME_LENGTH) {
3299 return STATE_LOAD_STATUS_ERROR;
3300 }
3301
3297 ++data; 3302 ++data;
3298 3303
3299 if (length < (uint32_t)(data - init_data) + g->title_len) { 3304 if (length < (uint32_t)(data - init_data) + g->title_len) {