From c17f12b2ee059aa2c78f25bb0f97e2cfe93dde8f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Mon, 12 Nov 2012 15:28:53 +0200
Subject: filterdb: check section limits for literal strings

---
 src/filterdb.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/filterdb.c b/src/filterdb.c
index d3f4c6a..c359ce6 100644
--- a/src/filterdb.c
+++ b/src/filterdb.c
@@ -141,17 +141,23 @@ void *sqdb_section_get(struct sqdb *db, int id, uint32_t *size)
 
 blob_t sqdb_get_string_literal(struct sqdb *db, uint32_t encoded_ptr)
 {
+	uint32_t section_size;
 	unsigned char *ptr;
 	unsigned int len, off;
 
-	ptr = sqdb_section_get(db, SQDB_SECTION_STRINGS, NULL);
+	ptr = sqdb_section_get(db, SQDB_SECTION_STRINGS, &section_size);
 	if (ptr == NULL)
 		return BLOB_NULL;
 
 	off = encoded_ptr >> SQDB_LENGTH_BITS;
 	len = encoded_ptr & ((1 << SQDB_LENGTH_BITS) - 1);
+
+	if (off + len >= section_size)
+		return BLOB_NULL;
 	if (len == 0)
 		len = ptr[off++];
+	if (off + len >= section_size)
+		return BLOB_NULL;
 
 	return BLOB_PTR_LEN(ptr + off, len);
 }
-- 
cgit v1.2.3