From f94738a2f11857fda194007e054fa26bee0690b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=BA=90=E6=96=87=E9=9B=A8?=
 <41315874+fumiama@users.noreply.github.com>
Date: Mon, 4 Apr 2022 18:05:56 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81=E7=BB=93?=
 =?UTF-8?q?=E6=9E=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 protobuf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/protobuf.c b/protobuf.c
index b4d18a1..d0cb37e 100644
--- a/protobuf.c
+++ b/protobuf.c
@@ -36,7 +36,7 @@ static int write_num(FILE* fp, uint32_t n) {
 SIMPLE_PB* get_pb(FILE* fp) {
     uint32_t init_pos = ftell(fp);
     uint32_t struct_len = read_num(fp);
-    if(struct_len <= 1) return NULL;
+    if(struct_len <= 1 || struct_len >= 1u<<20) return NULL; // 1B<struct_len<1MB
     SIMPLE_PB* spb = malloc(struct_len + 2 * sizeof(uint32_t));
     if(!spb) return NULL;
     spb->struct_len = struct_len;
@@ -45,7 +45,7 @@ SIMPLE_PB* get_pb(FILE* fp) {
     for(char* p = spb->target; p < spb->target+struct_len; p += offset) {
         offset = read_num(fp);
         data_len = read_num(fp);
-        if(data_len > 0) fread(p, data_len, 1, fp);
+        if(data_len > 0 && data_len <= offset) fread(p, data_len, 1, fp);
     }
     spb->real_len = ftell(fp) - init_pos;
     return spb;