There is a range check on the for loop, but the ft entry is expanded before the check. Decode is better than encode. gsfEncodeProcessingParameters does no bounds checking.
This issue likely also exists for gsfSensorParameters.
int
gsfDecodeProcessingParameters(gsfProcessingParameters *param, GSF_FILE_TABLE *ft, unsigned char *sptr)
{
/* snip */
/* Next two byte integer contains the number of parameters in this record. */
memcpy(&stemp, p, 2);
p += 2;
param->number_parameters = (int) ntohs(stemp);
/* TODO(schwehr): if (param->number_parameters >= GSF_MAX_PROCESSING_PARAMETERS) */
/* return an error. */
There is a range check on the for loop, but the ft entry is expanded before the check. Decode is better than encode. gsfEncodeProcessingParameters does no bounds checking.
This issue likely also exists for gsfSensorParameters.