From 05a21bc8eed569bacd695ea6cce28371a936211c Mon Sep 17 00:00:00 2001
From: Jef Driesen <jef@libdivecomputer.org>
Date: Mon, 15 Apr 2019 13:36:33 +0200
Subject: [PATCH] Fix a buffer overflow

The length field in the data is checked for the maximum size (e.g. the
size of the buffer), but there is no such check on the minimum size
(e.g. the size of the header). If the length is smaller, the code
accessed data before the start of the buffer.
---
 src/mares_iconhd_parser.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/mares_iconhd_parser.c b/src/mares_iconhd_parser.c
index e66d190..c12e8c4 100644
--- a/src/mares_iconhd_parser.c
+++ b/src/mares_iconhd_parser.c
@@ -100,13 +100,13 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser)
 	else if (parser->model == SMARTAPNEA)
 		header = 6; // Type and number of samples only!
 
-	if (size < header + 4) {
+	if (size < 4) {
 		ERROR (abstract->context, "Buffer overflow detected!");
 		return DC_STATUS_DATAFORMAT;
 	}
 
 	unsigned int length = array_uint32_le (data);
-	if (length > size) {
+	if (length < 4 + header || length > size) {
 		ERROR (abstract->context, "Buffer overflow detected!");
 		return DC_STATUS_DATAFORMAT;
 	}
@@ -146,7 +146,7 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser)
 		samplesize = 14;
 	}
 
-	if (length < headersize) {
+	if (length < 4 + headersize) {
 		ERROR (abstract->context, "Buffer overflow detected!");
 		return DC_STATUS_DATAFORMAT;
 	}