From d9b3c922d664d03100b9f37da129b382054ea3b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Cs=C3=A1rdi?= Date: Fri, 9 Feb 2024 18:31:01 -0500 Subject: [PATCH] Fix a buffer overflow It happens if raw_str_used underflows and ends up a very large number, which is then used as the size of a string. Closes #285. --- src/spss/readstat_sav_read.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/spss/readstat_sav_read.c b/src/spss/readstat_sav_read.c index 7f49490..460bf07 100644 --- a/src/spss/readstat_sav_read.c +++ b/src/spss/readstat_sav_read.c @@ -717,7 +717,7 @@ static readstat_error_t sav_process_row(unsigned char *buffer, size_t buffer_len } if (++offset == col_info->width) { if (++segment_offset < var_info->n_segments) { - raw_str_used--; + if (raw_str_used > 0) raw_str_used--; } offset = 0; col++;