From 145da70d0136e837b4d4926d079471b784e9598b Mon Sep 17 00:00:00 2001
From: Eduardo Dantas <eduardo.dantas@hotmail.com.br>
Date: Sat, 21 Dec 2024 18:46:57 -0300
Subject: [PATCH] fix: warning on decode lenght (#3188)

Resolves #3002
---
 src/security/rsa.cpp | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/security/rsa.cpp b/src/security/rsa.cpp
index 18e1f6e8393..f148ae6d952 100644
--- a/src/security/rsa.cpp
+++ b/src/security/rsa.cpp
@@ -170,11 +170,17 @@ uint16_t RSA::decodeLength(char*&pos) const {
 	if (length & 0x80) {
 		uint8_t numLengthBytes = length & 0x7F;
 		if (numLengthBytes > 4) {
-			g_logger().error("[RSA::loadPEM] - Invalid 'length'");
+			g_logger().error("[RSA::decodeLength] - Invalid 'length'");
 			return 0;
 		}
-		// Copy 'numLengthBytes' bytes from 'pos' into 'buffer', starting at the correct position
-		std::ranges::copy_n(pos, numLengthBytes, buffer.begin() + (4 - numLengthBytes));
+		// Adjust the copy destination to ensure it doesn't overflow
+		auto destIt = buffer.begin() + (4 - numLengthBytes);
+		if (destIt < buffer.begin() || destIt + numLengthBytes > buffer.end()) {
+			g_logger().error("[RSA::decodeLength] - Invalid copy range");
+			return 0;
+		}
+		// Copy 'numLengthBytes' bytes from 'pos' into 'buffer'
+		std::copy_n(pos, numLengthBytes, destIt);
 		pos += numLengthBytes;
 		// Reconstruct 'length' from 'buffer' (big-endian)
 		uint32_t tempLength = 0;
@@ -182,7 +188,7 @@ uint16_t RSA::decodeLength(char*&pos) const {
 			tempLength = (tempLength << 8) | buffer[4 - numLengthBytes + i];
 		}
 		if (tempLength > UINT16_MAX) {
-			g_logger().error("[RSA::loadPEM] - Length too large");
+			g_logger().error("[RSA::decodeLength] - Length too large");
 			return 0;
 		}
 		length = static_cast<uint16_t>(tempLength);