sms-part-3gpp: avoid underflow in tp_user_data_size_elements

  ==101461== Command: ./build/test/mmsmspdu --pdu=004100010100014B00002E --verbose
  ==101461==
  [debug] parsing PDU (0)...
  [debug]   no SMSC address given
  [debug]   submit type PDU detected
  [debug]   message reference: 0
  [debug]   address size: 1 digits (1 bytes)
  [debug]   number parsed: 00
  [debug]   PID: 1
  [debug]   user data encoding is GSM7
  [debug]   user data length: 0 elements
  [debug]   user data length: 0 bytes
  [debug] decoding SMS text with 4294967294 elements

Based on a patch from Michal Mazur <mkm@semihalf.com>.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/mm-sms-part-3gpp.c b/src/mm-sms-part-3gpp.c
index 5d9d637a..aa34b220 100644
--- a/src/mm-sms-part-3gpp.c
+++ b/src/mm-sms-part-3gpp.c
@@ -692,6 +692,7 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
 
         bit_offset = 0;
         if (has_udh) {
+            guint udhl_elements;
             guint udhl, end;
 
             udhl = pdu[tp_user_data_offset] + 1;
@@ -753,9 +754,18 @@ mm_sms_part_3gpp_new_from_binary_pdu (guint         index,
                  * user data to get a multiple of 7 (the padding).
                  */
                 bit_offset = (7 - udhl % 7) % 7;
-                tp_user_data_size_elements -= (udhl * 8 + bit_offset) / 7;
+                udhl_elements = (udhl * 8 + bit_offset) / 7;
             } else
-                tp_user_data_size_elements -= udhl;
+                udhl_elements = udhl;
+
+            if (udhl_elements >= tp_user_data_size_elements) {
+                g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED,
+                             "udhl length (%u) is greater than data size (%u)",
+                             udhl_elements, tp_user_data_size_elements);
+                mm_sms_part_free (sms_part);
+                return NULL;
+            }
+            tp_user_data_size_elements -= udhl_elements;
         }
 
         switch (user_data_encoding) {