From 00d2e45ba05db247c6799371cd45ee78089eeb36 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Wed, 26 Sep 2018 14:04:08 -0700
Subject: [PATCH] pspp-dump-sav: Better handle unreasonable variable label
 lengths.

Bug #54725.
Thanks to Peter Lemenkov for reporting this bug.
---
 utilities/pspp-dump-sav.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
index f207d8ecbf..a10ff148bd 100644
--- a/utilities/pspp-dump-sav.c
+++ b/utilities/pspp-dump-sav.c
@@ -444,14 +444,12 @@ read_variable_record (struct sfm_reader *r)
   if (has_variable_label == 1)
     {
       long long int offset = ftello (r->file);
-      size_t len;
-      char *label;
+      enum { MAX_LABEL_LEN = 65536 };
 
-      len = read_int (r);
-
-      /* Read up to 255 bytes of label. */
-      label = xmalloc (len + 1);
-      read_string (r, label, len + 1);
+      size_t len = read_int (r);
+      size_t read_len = MIN (MAX_LABEL_LEN, len);
+      char *label = xmalloc (read_len + 1);
+      read_string (r, label, read_len + 1);
       printf("\t%08llx Variable label: \"%s\"\n", offset, label);
       free (label);
 
-- 
2.30.2