From 6f07e89fdfb0ef3ca554ceac576aceb4420aa1c3 Mon Sep 17 00:00:00 2001
From: Alex Rebert <alexandre.rebert@gmail.com>
Date: Thu, 28 Oct 2021 23:50:16 -0400
Subject: [PATCH] Fix out-of-bounds read in RemoveLineComments

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24553
---
 code/Common/RemoveComments.cpp | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/code/Common/RemoveComments.cpp b/code/Common/RemoveComments.cpp
index e1ba99761..9974e985a 100644
--- a/code/Common/RemoveComments.cpp
+++ b/code/Common/RemoveComments.cpp
@@ -64,20 +64,28 @@ void CommentRemover::RemoveLineComments(const char* szComment,
     if (len > lenBuffer) {
         len = lenBuffer;
     }
-    while (*szBuffer)   {
+
+    char *szCurrent = szBuffer;
+    while (*szCurrent)   {
 
         // skip over quotes
-        if (*szBuffer == '\"' || *szBuffer == '\'')
-            while (*szBuffer++ && *szBuffer != '\"' && *szBuffer != '\'');
-        if (!strncmp(szBuffer,szComment,len)) {
-            while (!IsLineEnd(*szBuffer))
-                *szBuffer++ = chReplacement;
+        if (*szCurrent == '\"' || *szCurrent == '\'')
+            while (*szCurrent++ && *szCurrent != '\"' && *szCurrent != '\'');
 
-            if (!*szBuffer) {
+        size_t lenRemaining = lenBuffer - (szCurrent - szBuffer);
+        if(lenRemaining < len) {
+            break;
+        }
+
+        if (!strncmp(szCurrent,szComment,len)) {
+            while (!IsLineEnd(*szCurrent))
+                *szCurrent++ = chReplacement;
+
+            if (!*szCurrent) {
                 break;
             }
         }
-        ++szBuffer;
+        ++szCurrent;
     }
 }