diff options
author | Timo Teräs <timo.teras@iki.fi> | 2012-11-12 15:28:53 +0200 |
---|---|---|
committer | Timo Teräs <timo.teras@iki.fi> | 2012-11-12 15:28:53 +0200 |
commit | c17f12b2ee059aa2c78f25bb0f97e2cfe93dde8f (patch) | |
tree | 1d09499d1e16c72eb4e5abad501d43f2f210768b | |
parent | dd27d08692576575cf675b04b5a7149b4f03b879 (diff) | |
download | squark-c17f12b2ee059aa2c78f25bb0f97e2cfe93dde8f.tar.bz2 squark-c17f12b2ee059aa2c78f25bb0f97e2cfe93dde8f.tar.xz |
filterdb: check section limits for literal strings
-rw-r--r-- | src/filterdb.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/filterdb.c b/src/filterdb.c index d3f4c6a..c359ce6 100644 --- a/src/filterdb.c +++ b/src/filterdb.c @@ -141,17 +141,23 @@ void *sqdb_section_get(struct sqdb *db, int id, uint32_t *size) blob_t sqdb_get_string_literal(struct sqdb *db, uint32_t encoded_ptr) { + uint32_t section_size; unsigned char *ptr; unsigned int len, off; - ptr = sqdb_section_get(db, SQDB_SECTION_STRINGS, NULL); + ptr = sqdb_section_get(db, SQDB_SECTION_STRINGS, §ion_size); if (ptr == NULL) return BLOB_NULL; off = encoded_ptr >> SQDB_LENGTH_BITS; len = encoded_ptr & ((1 << SQDB_LENGTH_BITS) - 1); + + if (off + len >= section_size) + return BLOB_NULL; if (len == 0) len = ptr[off++]; + if (off + len >= section_size) + return BLOB_NULL; return BLOB_PTR_LEN(ptr + off, len); } |