libextractor

GNU libextractor
Log | Files | Refs | Submodules | README | LICENSE

commit 46b15b6623198a87fb6d2db080ad724310748a6a
parent fb82bbd64280a8cadc3e70dab9619a660359c577
Author: Christian Grothoff <christian@grothoff.org>
Date:   Tue, 30 Jun 2026 19:10:24 +0200

fix atom size computation, ensure depth check applies also in cmovHandler

Diffstat:
Msrc/plugins/qt_extractor.c | 15++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/plugins/qt_extractor.c b/src/plugins/qt_extractor.c @@ -891,12 +891,14 @@ cmovHandler (const char *input, if (s > MAX_CMOV_SIZE) return -1; /* ignore, too big! */ buf = malloc (s); - if (buf == NULL) + if (NULL == buf) return -1; /* out of memory, handle gracefully */ memset (&z_state, 0, sizeof (z_state)); - z_state.next_in = (unsigned char *) &c[1]; - z_state.avail_in = ntohl (c->cmvdAtom.size); + z_state.next_in = (unsigned char *) &c[1]; /* data starts after 'c' */ + z_state.avail_in = ntohl (c->cmvdAtom.size) + - sizeof (struct Atom) /* cmvdAtom itself */ + - sizeof (uint32_t); /* decompressedSize field */ z_state.avail_out = s; z_state.next_out = (unsigned char *) buf; z_state.zalloc = (alloc_func) 0; @@ -923,11 +925,18 @@ cmovHandler (const char *input, free (buf); return -1; /* decode error? */ } + if (ec->depth >= MAX_ATOM_DEPTH) + { + free (buf); + return -1; + } + ec->depth++; ret = handleAtom (all_handlers, buf, s, 0, ec); + ec->depth--; free (buf); return ret; }