From 350893fb27719bf1779d57a645b69cca0a2bc988 Mon Sep 17 00:00:00 2001
From: Jef Driesen <jefdriesen@users.sourceforge.net>
Date: Thu, 23 Nov 2017 21:19:13 +0100
Subject: [PATCH] Fix some potential buffer overflows

Verify the buffer size before accessing its content!
---
 src/hw_ostc_parser.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/hw_ostc_parser.c b/src/hw_ostc_parser.c
index d01f087..a96456c 100644
--- a/src/hw_ostc_parser.c
+++ b/src/hw_ostc_parser.c
@@ -569,6 +569,14 @@ hw_ostc_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_t call
 	unsigned int header = parser->header;
 	const hw_ostc_layout_t *layout = parser->layout;
 
+	// Check the header length.
+	if (version == 0x23 || version == 0x24) {
+		if (size < header + 5) {
+			ERROR (abstract->context, "Buffer overflow detected!");
+			return DC_STATUS_DATAFORMAT;
+		}
+	}
+
 	// Get the sample rate.
 	unsigned int samplerate = 0;
 	if (version == 0x23 || version == 0x24)
@@ -595,6 +603,14 @@ hw_ostc_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_t call
 		return DC_STATUS_DATAFORMAT;
 	}
 
+	// Check the header length.
+	if (version == 0x23 || version == 0x24) {
+		if (size < header + 5 + 3 * nconfig) {
+			ERROR (abstract->context, "Buffer overflow detected!");
+			return DC_STATUS_DATAFORMAT;
+		}
+	}
+
 	// Get the extended sample configuration.
 	hw_ostc_sample_info_t info[MAXCONFIG] = {{0}};
 	for (unsigned int i = 0; i < nconfig; ++i) {