Headline
CVE-2022-29788: Fix issue with corrupt files with tagvalues_count = 0 that caused nul… · bfabiszewski/libmobi@ce0ab65
libmobi before v0.10 contains a NULL pointer dereference via the component mobi_buffer_getpointer. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted mobi file.
@@ -1057,7 +1057,7 @@ MOBI_RET mobi_trie_insert_infl(MOBITrie **root, const MOBIIndx *indx, size_t i)
for (size_t j = 0; j < e.tags_count; j++) {
MOBIIndexTag t = e.tags[j];
if (t.tagid == INDX_TAGARR_INFL_PARTS_V1) {
for (size_t k = 0; k < t.tagvalues_count - 1; k += 2) {
for (size_t k = 0; k + 1 < t.tagvalues_count; k += 2) {
uint32_t len = t.tagvalues[k];
uint32_t offset = t.tagvalues[k + 1];
char *base = mobi_get_cncx_string_flat(indx->cncx_record, offset, len);