Fix off-by-one in mvelib processing

When exactly four bytes remain, mvelib will attempt to compute a past-the-end pointer. Some handlers will dereference this pointer without rechecking the length. Adjust the header check to require a non-empty body. Reported-by: jwrdegoede <https://github.com/dxx-rebirth/dxx-rebirth/issues/413>
2018-12-18 03:36:34 +00:00 · 2018-12-18 03:36:34 +00:00 · 8db88cb2b5
parent 992f35feb8
commit 8db88cb2b5
1 changed files with 1 additions and 1 deletions
--- a/d2x-rebirth/libmve/mvelib.cpp
+++ b/d2x-rebirth/libmve/mvelib.cpp
@ -101,7 +101,7 @@ static bool have_segment_header(const MVEFILE *movie)
 	if (movie->next_segment >= movie->cur_chunk.size())
 		return false;
 	/* if we don't have enough data to get a segment, fail */
-	if (movie->cur_chunk.size() - movie->next_segment < 4)
+	if (movie->cur_chunk.size() - movie->next_segment <= 4)
 		return false;
 	return true;
 }