From 0244904c1f63eefa8bdfc38be57623aa0dc101a5 Mon Sep 17 00:00:00 2001
From: Robin Stuart <rstuart114@gmail.com>
Date: Sun, 29 Mar 2020 14:23:31 +0100
Subject: [PATCH] Prevent buffer overrun in Code One

Fixes #184 reported by Milton Neal
---
 backend/code1.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/backend/code1.c b/backend/code1.c
index d6996839..42ad9c64 100644
--- a/backend/code1.c
+++ b/backend/code1.c
@@ -441,9 +441,11 @@ static int c1_encode(struct zint_symbol *symbol, unsigned char source[], unsigne
 
                 if (j == 13) {
                     latch = 0;
-                    for (i = sp + 13; i < length; i++) {
-                        if (!((source[i] >= '0') && (source[i] <= '9'))) {
-                            latch = 1;
+                    if ((length - sp) >= 14) {
+                        for (i = sp + 13; i < length; i++) {
+                            if (!((source[i] >= '0') && (source[i] <= '9'))) {
+                                latch = 1;
+                            }
                         }
                     }
 
@@ -490,9 +492,11 @@ static int c1_encode(struct zint_symbol *symbol, unsigned char source[], unsigne
 
                             if (j == 7) {
                                 latch = 0;
-                                for (i = sp + 7; i < length; i++) {
-                                    if (!((source[sp + i] >= '0') && (source[sp + i] <= '9'))) {
-                                        latch = 1;
+                                if ((length - sp) >= 8) {
+                                    for (i = sp + 7; i < length; i++) {
+                                        if (!((source[sp + i] >= '0') && (source[sp + i] <= '9'))) {
+                                            latch = 1;
+                                        }
                                     }
                                 }