lepc: added bound check for collect_tgt

warmcat · May 30, 2024 · 090ec8e · 090ec8e
1 parent d1d622d
commit 090ec8e
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/lib/misc/lecp.c b/lib/misc/lecp.c
@@ -673,10 +673,21 @@ lecp_parse(struct lecp_ctx *ctx, const uint8_t *cbor, size_t len)
 		 * We're collecting int / float pieces
 		 */
 		case LECP_COLLECT:
-			if (ctx->be)
-				*ctx->collect_tgt++ = c;
-			else
-				*ctx->collect_tgt-- = c;
+			if (ctx->be) {
+
+				if (ctx->collect_tgt + 1 >= &ctx->item.opcode)
+					*ctx->collect_tgt = c;
+				else
+					*ctx->collect_tgt++ = c;
+
+			} else {
+
+				if (ctx->collect_tgt <= (uint8_t *)&ctx->item.u)
+					*ctx->collect_tgt = c;
+				else
+					*ctx->collect_tgt-- = c;
+
+			}
 
 			if (--st->collect_rem)
 				break;