fix missing group title length check

This fixes a buffer overflow when a malformed *.tox save file is loaded.
2024-03-22 13:30:51 +08:00 · 2019-08-03 14:55:41 +02:00 · 2019-08-03 14:55:41 +02:00 · 8ed83c3d4c
commit 8ed83c3d4c
parent 7418174129
1 changed files with 5 additions and 0 deletions
--- a/toxcore/group.c
+++ b/toxcore/group.c
@ -3294,6 +3294,11 @@ static State_Load_Status load_conferences(Group_Chats *g_c, const uint8_t *data,
        }

        g->title_len = *data;
+
+        if (g->title_len > MAX_NAME_LENGTH) {
+            return STATE_LOAD_STATUS_ERROR;
+        }
+
        ++data;

        if (length < (uint32_t)(data - init_data) + g->title_len) {