Fix an integer overflow in LcfReader::ReadString resulting in a heap corruption.

Ghabry · Ghabry · commit 98c8709904cc · 2017-04-02T19:50:21.000+02:00
Thanks to @Scrippie Fixes #194
diff --git a/src/reader_lcf.cpp b/src/reader_lcf.cpp
@@ -160,10 +160,9 @@ void LcfReader::Read<uint32_t>(std::vector<uint32_t> &buffer, size_t size) {
 }
 
 void LcfReader::ReadString(std::string& ref, size_t size) {
-	char* chars = new char[size + 1];
-	chars[size] = '\0';
+	char* chars = new char[size];
 	Read(chars, 1, size);
-	ref = Encode(std::string(chars));
+	ref = Encode(std::string(chars, size));
 	delete[] chars;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -160,10 +160,9 @@ void LcfReader::Read<uint32_t>(std::vector<uint32_t> &buffer, size_t size) {`
`160`	`160`	`}`
`161`	`161`
`162`	`162`	`void LcfReader::ReadString(std::string& ref, size_t size) {`
`163`		`- char* chars = new char[size + 1];`
`164`		`- chars[size] = '\0';`
	`163`	`+ char* chars = new char[size];`
`165`	`164`	`Read(chars, 1, size);`
`166`		`- ref = Encode(std::string(chars));`
	`165`	`+ ref = Encode(std::string(chars, size));`
`167`	`166`	`delete[] chars;`
`168`	`167`	`}`
`169`	`168`