Made sure the CopyQM reading code does not overflow the allocated buffer.

2016-12-28 23:53:31 +01:00
parent 17e2cd6776
commit c8b57ccbe2
1 changed files with 22 additions and 4 deletions
--- a/src/disc_img.c
+++ b/src/disc_img.c
@@ -349,13 +349,31 @@ void img_load(int drive, char *fn)
 					{
 						rep_byte = fgetc(img[drive].f);
 						block_len = -block_len;
-						memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
-						cur_pos += block_len;
+						if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
+						{
+							block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
+							memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
+							break;
+						}
+						else
+						{
+							memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
+							cur_pos += block_len;
+						}
 					}
 					else if (block_len > 0)
 					{
-						fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
-						cur_pos += block_len;
+						if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
+						{
+							block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
+							fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
+							break;
+						}
+						else
+						{
+							fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
+							cur_pos += block_len;
+						}
 					}
 				}
 			}