From ab5bf0e37e540eac682a14e628853b918626e72b Mon Sep 17 00:00:00 2001
From: Cen Zhang <blbllhy@gmail.com>
Date: Thu, 9 Sep 2021 14:21:58 +0800
Subject: [PATCH] fix oob write bug inside libmobi

---
 src/buffer.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index 95d2e62..6dfca83 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -510,8 +510,8 @@ void mobi_buffer_move(MOBIBuffer *buf, const int offset, const size_t len) {
         }
         source += aoffset;
     } else {
-        if (buf->offset < aoffset) {
-            debug_print("%s", "End of buffer\n");
+        if ( (buf->offset < aoffset) || (buf->offset + len > buf->maxlen) ) {
+            debug_print("%s", "Beyond start/end of buffer\n");
             buf->error = MOBI_BUFFER_END;
             return;
         }