csn1: fix csnStreamEncoder(): also check length of the choice list

Similar checks are done in csnStreamDecoder(), so better check than sorry.

Change-Id: I441c716975905a37264efc8a76df92194f39c1fb

1 files changed, 7 insertions, 1 deletions

diff --git a/src/csn1.c b/src/csn1.c
index 3347a649..700c342a 100644
--- a/src/csn1.c
+++ b/src/csn1.c
@@ -1802,10 +1802,16 @@ gint16 csnStreamEncoder(csnStream_t* ar, const CSN_DESCR* pDescr, struct bitvec
 
       case CSN_CHOICE:
       {
-        //gint16 count = pDescr->i;
+        gint16 count = pDescr->i;
         guint8 i     = 0;
         const CSN_ChoiceElement_t* pChoice = (const CSN_ChoiceElement_t*) pDescr->descr.ptr;
 
+        /* Make sure that the list of choice items is not empty */
+        if (!count)
+          return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr);
+        else if (count > 255) /* We can handle up to 256 (UCHAR_MAX) selectors */
+          return ProcessError(writeIndex, "csnStreamEncoder", CSN_ERROR_IN_SCRIPT, pDescr);
+
         pui8          = pui8DATA(data, pDescr->offset);
         i = *pui8;
         pChoice += i;