Overview

File 0003-Add-missing-bounds-check-for-RLE-decompressor.patch of Package kdegraphics-mobipocket

From e17e5b2e32b50cad1a67390484f4b5f2d7017e65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
Date: Fri, 28 Feb 2025 22:22:15 +0100
Subject: [PATCH 3/4] Add missing bounds check for RLE decompressor

If `shift` is larger than the current ret.size(), shifted will wrap
around.
---
 lib/decompressor.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/decompressor.cpp b/lib/decompressor.cpp
index 8509e7c..94d4d0c 100644
--- a/lib/decompressor.cpp
+++ b/lib/decompressor.cpp
@@ -138,9 +138,13 @@ QByteArray RLEDecompressor::decompress(const QByteArray& data)
                                         N+=(unsigned char)data.at(i++);
 					copyLength = (N & 7) + 3;
 					shift = (N & 0x3fff) / 8;
-					shifted = ret.size()-shift;
-					if (shifted>(ret.size()-1)) goto endOfLoop;
-					for (int i=0;i<copyLength;i++) ret.append(ret.at(shifted+i));
+					if ((shift < 1) || (shift > ret.size())) {
+						return ret;
+					}
+					shifted = ret.size() - shift;
+					for (int i = shifted; i < shifted + copyLength; i++) {
+						ret.append(ret.at(i));
+					}
 					break;
 			}
 		}
-- 
2.48.1
openSUSE Build Service is sponsored by
Places