src/lib/CDRParser.cpp | 4 ++++
1 file changed, 4 insertions(+)
New commits:
commit 9f3400fbd8a7e8fa3dedbee9edb8ecffff5bd573
Author: Caolán McNamara <[email protected]>
AuthorDate: Fri May 22 20:56:20 2026 +0000
Commit: Caolán McNamara <[email protected]>
CommitDate: Sat May 23 17:48:50 2026 +0200
clamp numChars against remaining input in readTxsm6 and readTxsm16
Change-Id: If34eeced6956c3783daf4b935163008d03d2cb26
Reviewed-on: https://gerrit.libreoffice.org/c/libcdr/+/205587
Tested-by: Caolán McNamara <[email protected]>
Reviewed-by: Caolán McNamara <[email protected]>
diff --git a/src/lib/CDRParser.cpp b/src/lib/CDRParser.cpp
index c58251e..3db6f62 100644
--- a/src/lib/CDRParser.cpp
+++ b/src/lib/CDRParser.cpp
@@ -2775,6 +2775,8 @@ void
libcdr::CDRParser::readTxsm16(librevenge::RVNGInputStream *input)
}
unsigned numChars = readU32(input);
+ if (numChars > getRemainingLength(input) / 8)
+ numChars = getRemainingLength(input) / 8;
std::vector<unsigned char> charDescriptions(numChars);
for (i=0; i<numChars; ++i)
{
@@ -2882,6 +2884,8 @@ void
libcdr::CDRParser::readTxsm6(librevenge::RVNGInputStream *input)
}
unsigned numChars = readU32(input);
input->seek(4, librevenge::RVNG_SEEK_CUR);
+ if (numChars > getRemainingLength(input) / 12)
+ numChars = getRemainingLength(input) / 12;
std::vector<unsigned char> textData;
std::vector<unsigned char> charDescriptions;
textData.reserve(numChars);
