bug fix, avatar item deserialisation unsafely assumes valid image length. caused crash on windows.

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@5194 b45a01b8-16f6-495d-af2f-9b41ad6348cc
2024-10-01 02:35:48 -04:00 · 2012-06-04 12:49:54 +00:00 · 2012-06-04 12:49:54 +00:00 · 94729aae4b
commit 94729aae4b
parent ff6276e920
1 changed files with 8 additions and 3 deletions
--- a/libretroshare/src/serialiser/rsmsgitems.cc
+++ b/libretroshare/src/serialiser/rsmsgitems.cc
@ -1091,9 +1091,14 @@ RsChatAvatarItem::RsChatAvatarItem(void *data,uint32_t /*size*/)
 	/* get mandatory parts first */
 	ok &= getRawUInt32(data, rssize, &offset,&image_size);

-	image_data = new unsigned char[image_size] ;
-	memcpy(image_data,(void*)((unsigned char*)data+offset),image_size) ;
-	offset += image_size ;
+        // ensure invalid image length does not overflow data
+        if( (offset + image_size) <= rssize){
+            image_data = new unsigned char[image_size] ;
+            memcpy(image_data,(void*)((unsigned char*)data+offset),image_size) ;
+            offset += image_size ;
+        }else{
+            ok = false;
+        }

 	if (offset != rssize)
 		std::cerr << "Size error while deserializing." << std::endl ;