From 6904ebc247f01b5fe27d58c5dbb27e38af8449fb Mon Sep 17 00:00:00 2001
From: Bartek Fabiszewski <github@fabiszewski.net>
Date: Wed, 20 Jun 2018 12:26:28 +0200
Subject: [PATCH] Fix: buffer overflow (CVE-2018-11726)

---
 src/util.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/util.c b/src/util.c
index 0fc370a..512808b 100644
--- a/src/util.c
+++ b/src/util.c
@@ -2400,6 +2400,12 @@ MOBI_RET mobi_decode_font_resource(unsigned char **decoded_font, size_t *decoded
             return MOBI_DATA_CORRUPT;
         }
     } else {
+        if (*decoded_size < encoded_size) {
+            buffer_free(buf);
+            free(*decoded_font);
+            debug_print("Font size in record (%zu) larger then declared (%zu)\n", encoded_size, *decoded_size);
+            return MOBI_DATA_CORRUPT;
+        }
         memcpy(*decoded_font, encoded_font, encoded_size);
     }