From 3536086015ac07b4104d2d0aee7ca3ee067bd8a1 Mon Sep 17 00:00:00 2001
From: Jef Driesen <jefdriesen@users.sourceforge.net>
Date: Sat, 19 Oct 2013 21:48:00 +0200
Subject: [PATCH] Check the buffer size before using the data.

For the Galileo Trimix, the header length isn't fixed. The actual length
depends on whether the dive has the trimix setting enabled or not.
Because at this point we're still trying to determine the length of the
header, it hasn't been checked yet and an extra check is necessary.
---
 src/uwatec_smart_parser.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/uwatec_smart_parser.c b/src/uwatec_smart_parser.c
index 5f571bb..addc295 100644
--- a/src/uwatec_smart_parser.c
+++ b/src/uwatec_smart_parser.c
@@ -363,6 +363,9 @@ uwatec_smart_parser_get_field (dc_parser_t *abstract, dc_field_type_t type, unsi
 	unsigned int trimix = 0;
 
 	if (parser->model == GALILEOTRIMIX) {
+		if (size < 44)
+			return DC_STATUS_DATAFORMAT;
+
 		if (data[43] & 0x80) {
 			header = 0xB1;
 			trimix = 1;
@@ -473,6 +476,9 @@ uwatec_smart_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_t
 	unsigned int trimix = 0;
 
 	if (parser->model == GALILEOTRIMIX) {
+		if (size < 44)
+			return DC_STATUS_DATAFORMAT;
+
 		if (data[43] & 0x80) {
 			header = 0xB1;
 			trimix = 1;