fix missing group title length check

This fixes a buffer overflow when a malformed *.tox save file is loaded.
TokTok · Aug 3, 2019 · fbbf6cf · fbbf6cf
1 parent 7aab0d9
commit fbbf6cf
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/toxcore/group.c b/toxcore/group.c
@@ -3294,6 +3294,11 @@ static State_Load_Status load_conferences(Group_Chats *g_c, const uint8_t *data,
         }
 
         g->title_len = *data;
+
+        if (g->title_len > MAX_NAME_LENGTH) {
+            return STATE_LOAD_STATUS_ERROR;
+        }
+
         ++data;
 
         if (length < (uint32_t)(data - init_data) + g->title_len) {