Fix potential buffer overflow.

There was a case where we could read past the end of the token buffer if a comment token said it was larger than it really was. --HG-- branch : trunk
icculus · Jun 25, 2008 · 0312e92 · 0312e92
1 parent b58fd47
commit 0312e92
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/mojoshader.c b/mojoshader.c
@@ -6939,9 +6939,14 @@ const MOJOSHADER_parseData *MOJOSHADER_parse(const char *profile,
         // reset for every token, and consider an error if it ever overflows!
         ctx->scratchidx = 0;
 
-        ctx->tokens += rc;
-        ctx->tokencount -= rc;
-        rc = parse_token(ctx);
+        if ( ((uint32) rc) > ctx->tokencount )
+            fail(ctx, "Corrupted or truncated shader");
+        else
+        {
+            ctx->tokens += rc;
+            ctx->tokencount -= rc;
+            rc = parse_token(ctx);
+        } // else
     } // while
 
     if (!isfail(ctx))