From 38c99889382c7142b3cb94a5a5bae5266f4ab7a3 Mon Sep 17 00:00:00 2001
From: Thierry Crozat
Date: Tue, 14 Jun 2011 23:15:30 +0100
Subject: COMMON: Fix crash in TranslationManager when reading long strings

It was writing data beyond the end of a buffer. This change makes
sure this does not happen. It only changes reading of the messages
since the language codes, charset names and contexts are always
much smaller than the buffer.
---
 common/translation.cpp | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/common/translation.cpp b/common/translation.cpp
index dc71ddc52f..526bebcec6 100644
--- a/common/translation.cpp
+++ b/common/translation.cpp
@@ -302,8 +302,13 @@ void TranslationManager::loadTranslationsInfoDat() {
 	_messageIds.resize(numMessages);
 	for (int i = 0; i < numMessages; ++i) {
 		len = in.readUint16BE();
-		in.read(buf, len);
-		_messageIds[i] = String(buf, len - 1);
+		String msg;
+		while (len > 0) {
+			in.read(buf, len > 256 ? 256 : len);
+			msg += String(buf, len > 256 ? 256 : len - 1);
+			len -= 256;
+		}
+		_messageIds[i] = msg;
 	}
 }
 
@@ -357,8 +362,13 @@ void TranslationManager::loadLanguageDat(int index) {
 	for (int i = 0; i < nbMessages; ++i) {
 		_currentTranslationMessages[i].msgid = in.readUint16BE();
 		len = in.readUint16BE();
-		in.read(buf, len);
-		_currentTranslationMessages[i].msgstr = String(buf, len - 1);
+		String msg;
+		while (len > 0) {
+			in.read(buf, len > 256 ? 256 : len);
+			msg += String(buf, len > 256 ? 256 : len - 1);
+			len -= 256;
+		}
+		_currentTranslationMessages[i].msgstr = msg;
 		len = in.readUint16BE();
 		if (len > 0) {
 			in.read(buf, len);
-- 
cgit v1.2.3