Out of bounds write, crash
gabb99 opened this issue · comments
Gabriel Beauchemin commented
diff --git a/src/util.c b/src/util.c
index be08b26..8887afd 100644
--- a/src/util.c
+++ b/src/util.c
@@ -1601,7 +1601,7 @@ static MOBI_RET mobi_decompress_content(const MOBIData *m, char *text, FILE *fil
if (dump) {
fwrite(decompressed, 1, decompressed_size, file);
} else {
- if (text_length > *len) {
+ if (text_length + decompressed_size > *len) {
debug_print("%s", "Text buffer too small\n");
/* free huff/cdic tables */
mobi_free_huffcdic(huffcdic);
--
2.7.4
Bartek Fabiszewski commented
Thanks for catching this!