From c8b57ccbe2c364a45baa8d12a1e6e8f38e4655b1 Mon Sep 17 00:00:00 2001
From: OBattler <oubattler@gmail.com>
Date: Wed, 28 Dec 2016 23:53:31 +0100
Subject: [PATCH] Made sure the CopyQM reading code does not overflow the
 allocated buffer.

---
 src/disc_img.c | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/src/disc_img.c b/src/disc_img.c
index f4b531ef1..3f43f3080 100644
--- a/src/disc_img.c
+++ b/src/disc_img.c
@@ -349,13 +349,31 @@ void img_load(int drive, char *fn)
 					{
 						rep_byte = fgetc(img[drive].f);
 						block_len = -block_len;
-						memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
-						cur_pos += block_len;
+						if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
+						{
+							block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
+							memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
+							break;
+						}
+						else
+						{
+							memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
+							cur_pos += block_len;
+						}
 					}
 					else if (block_len > 0)
 					{
-						fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
-						cur_pos += block_len;
+						if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
+						{
+							block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
+							fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
+							break;
+						}
+						else
+						{
+							fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
+							cur_pos += block_len;
+						}
 					}
 				}
 			}