Fix off-by-one in mvelib processing
When exactly four bytes remain, mvelib will attempt to compute a past-the-end pointer. Some handlers will dereference this pointer without rechecking the length. Adjust the header check to require a non-empty body. Reported-by: jwrdegoede <https://github.com/dxx-rebirth/dxx-rebirth/issues/413>
This commit is contained in:
parent
992f35feb8
commit
8db88cb2b5
|
@ -101,7 +101,7 @@ static bool have_segment_header(const MVEFILE *movie)
|
|||
if (movie->next_segment >= movie->cur_chunk.size())
|
||||
return false;
|
||||
/* if we don't have enough data to get a segment, fail */
|
||||
if (movie->cur_chunk.size() - movie->next_segment < 4)
|
||||
if (movie->cur_chunk.size() - movie->next_segment <= 4)
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue